Sunday, November 25, 2018

Ignoring OSSEC rules

To ignore some errors in OSSEC we can configure our custom rules in /var/ossec/rules/local_rules.xml

In this case I'm going to ignore some Shibboleth errors I received in an email:

 OSSEC HIDS Notification.  
 2018 Nov 26 12:56:27  
 Received From: apn-lsrv01->/etc/httpd/logs/ssl_access_log  
 Rule: 31122 fired (level 5) -> "Web server 500 error code (Internal Error)."  
 Src IP: 150.203.1.1  
 Portion of the log(s):  
 150.203.25.3 - - [26/Nov/2018:12:56:25 +1100] "GET /Shibboleth.sso/NIM/Artifact HTTP/1.1" 500 937  
  --END OF NOTIFICATION  

I've highlighted the relevant parts we'll need in red font above.

Before we add new rules to ignore this error, we need to identify which group it belongs to.


 cd /var/ossec/rules  
 grep -lir 31122 .  
 ./web_rules.xml  

Here we can see that the rule 31122 exists in the file web_rules.xml. Therefore the group that the rule belongs to is 'web'

Now let's analyze how ossec will decode the log error using tool called ossec-logtest.
Start ossec-logtest, run the command: /var/ossec/bin/ossec-logtest
Then copy and paste the portion of the log you received in the email, and you should get a response similar to this:


 [root@apn-lsrv01 bin]# ./ossec-logtest  
 2018/11/26 13:08:06 ossec-testrule: INFO: Reading local decoder file.  
 2018/11/26 13:08:06 ossec-testrule: INFO: Started (pid: 8696).  
 ossec-testrule: Type one log per line.  
 150.203.25.3 - - [26/Nov/2018:12:56:25 +1100] "GET /Shibboleth.sso/NIM/Artifact HTTP/1.1" 500 937  
 **Phase 1: Completed pre-decoding.  
     full event: '150.203.25.3 - - [26/Nov/2018:12:56:25 +1100] "GET /Shibboleth.sso/NIM/Artifact HTTP/1.1" 500 937'  
     hostname: 'apn-lsrv01'  
     program_name: '(null)'  
     log: '150.203.25.3 - - [26/Nov/2018:12:56:25 +1100] "GET /Shibboleth.sso/NIM/Artifact HTTP/1.1" 500 937'  
 **Phase 2: Completed decoding.  
     decoder: 'web-accesslog'  
     srcip: '150.203.25.3'  
     srcuser: '-'  
     action: 'GET'  
     url: '/Shibboleth.sso/NIM/Artifact'  
     id: '500'  
 **Phase 3: Completed filtering (rules).  
     Rule id: '31122'  
     Level: '5'  
     Description: 'Web server 500 error code (Internal Error).'  
 **Alert to be generated.  

Here we can see that OSSEC decoded the log error with a url as '/Shibboleth.sso/NIM/Artifact'

This means when we write our rule to ignore this error, we need to specify the rule using a URL.

Now we can proceed to create our rule by editing the /var/ossec/rules/local_rules.xml by adding the following to the end of the file:


 <group name="web," >  
  <rule id="100032" level="0">  
   <if_sid>31122</if_sid>  
   <url>/Shibboleth.sso</url>  
   <description>Ignore Shibboleth</description>  
  </rule>  
 </group>  


  • In this rule we specified that the rule belongs to group called 'web'.
  • The rule ID to which we are processing has ID 31122.
  • And the URL should start with /Shibboleth.sso

We can rerun our ossec-logtest without having to restart OSSEC.
Now if we rerun ossec-logtest we should see the following:

 [root@apn-lsrv01 bin]# ./ossec-logtest  
 2018/11/26 13:11:17 ossec-testrule: INFO: Reading local decoder file.  
 2018/11/26 13:11:17 ossec-testrule: INFO: Started (pid: 9181).  
 ossec-testrule: Type one log per line.  
 150.203.25.3 - - [26/Nov/2018:12:56:25 +1100] "GET /Shibboleth.sso/NIM/Artifact HTTP/1.1" 500 937  
 **Phase 1: Completed pre-decoding.  
     full event: '150.203.25.3 - - [26/Nov/2018:12:56:25 +1100] "GET /Shibboleth.sso/NIM/Artifact HTTP/1.1" 500 937'  
     hostname: 'apn-lsrv01'  
     program_name: '(null)'  
     log: '150.203.25.3 - - [26/Nov/2018:12:56:25 +1100] "GET /Shibboleth.sso/NIM/Artifact HTTP/1.1" 500 937'  
 **Phase 2: Completed decoding.  
     decoder: 'web-accesslog'  
     srcip: '150.203.25.3'  
     srcuser: '-'  
     action: 'GET'  
     url: '/Shibboleth.sso/NIM/Artifact'  
     id: '500'  
 **Phase 3: Completed filtering (rules).  
     Rule id: '100032'  
     Level: '0'  
     Description: 'Ignore Shibboleth'  

After all that testing , we are now ready to release our changes by restarting OSSEC.