ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.5k stars 1.04k forks source link

web-accesslog does not match all web requests #914

Open colinmollenhour opened 8 years ago

colinmollenhour commented 8 years ago

While this is an edge case that is not representative of normal web requests, there are requests that may be logged by the web server that are not matched by the current decoder. The cases I've see are triggered by security scanners/sniffers which are arguably the most important requests to match since OSSEC cannot take proper action if it cannot match the right decoder.

Example from an nginx log:

11.22.33.44 - - [01/Aug/2016:05:15:07 +0000] "GET /ariadne/www/loader.php/system/\x22><iMg src=N onerror=alert(document.cookie)> HTTP/1.1" 301 178 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.7)"

This results in an alert:

Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."

I added a decoder to local_decoders.xml which does match the request:

<decoder name="web-accesslog-unrecognized">
  <type>web-log</type>
  <prematch>^\S+ \S+ \S+ [\S+ \S\d+] "\w+ \.+ HTTP/\d.\d" </prematch>
  <regex>^(\S+) \S+ \S+ [\S+ \S\d+] </regex>
  <regex>"\w+ (\.+) HTTP/\d.\d" (\d+) </regex>
  <order>srcip, url, id</order>
</decoder>

However, I think that this change should be made in the "web-accesslog" decoder directly. Specifically, the "\S+" used to match the url should be ".+" to allow spaces in the url.

leofeyer commented 5 years ago

I second this. Using (\.+) instead of (\S+) will allow us to decode requests like this:

EDIT: Even with (\.+), OSSEC still does not match the request below.

http://domain.com/wp-admin/admin-ajax.php?action=update_zb_fbc_code&domain=</script><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 100, 61, 100, 111, 99, 117, 109, 101, 110, 116, 59, 118, 97, 114, 32, 115, 61, 100, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, ..., 41, 59, 10, 125));</script>

Right now those requests end in a level 13 alert:

Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."