» » OSSEC ‘Bug’ in 2.7.1 – Apache Web Log Decoding

OSSEC ‘Bug’ in 2.7.1 – Apache Web Log Decoding

Last week I posted how I had to redeploy my website because I moved to a new VPS deployment. As I was cleaning up various system configurations related to the migration, I noticed that my OSSEC Active Response alerts hadn’t been triggering at all since the migration.

ossec

I became suspicious of OSSEC and its processing of the Apache web logs, so I attempted to trigger a WordPress login brute force attempt and OSSEC failed to block me.

I decided to take a block of logs containing the failed login attempts and run them through ossec-logtest and it resulted in:

**Phase 1: Completed pre-decoding.
 full event: '169.235.114.5 - - [30/Apr/2014:14:58:40 -0700] "POST /wordpress/wp-login.php HTTP/1.1" 200 1448 "https://www.ocabj.net/wordpress/wp-login.php" "Mozilla/5.0 (iPad; CPU OS 7_1_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D201 Safari/9537.53"'
 hostname: 'zion'
 program_name: '(null)'
 log: '169.235.114.5 - - [30/Apr/2014:14:58:40 -0700] "POST /wordpress/wp-login.php HTTP/1.1" 200 1448 "https://www.ocabj.net/wordpress/wp-login.php" "Mozilla/5.0 (iPad; CPU OS 7_1_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D201 Safari/9537.53"'

**Phase 2: Completed decoding.
 decoder: 'pure-transfer'

**Phase 3: Completed filtering (rules).
 Rule id: '11310'
 Level: '0'
 Description: 'Rule grouping for pure ftpd transfers.'

Wait, “pure ftpd”? Why are my Apache web logs being processed as PureFTPD logs, thereby triggering PureFTPD rules processing?

At first I thought I messed something up with my OSSEC install and configuration migration from the old VPS instance. So I reinstalled OSSEC 2.7.1 from scratch with the same behavior.

After talking with a colleague, he remembered he had the same exact problem and he had to comment out the PureFTPD related decoder and rules.

The issue lies with the regular expression and the ordering of the decoder processing.

PureFTPD logs appear as: <IP> – <DATE> <more…>.

Apache Web Logs appear as: <IP> – – <DATE> <more…>.

The prematch regexp for the PureFTPD decoder is:

<prematch>^\S+ – \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] </prematch>
<regex>^(\S+) – (\S+) [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] “(\S+) (\.+) (\d+) \d+$</regex>

As you can see above, <IP> – – <DATE> will actually get picked up by the prematch of the PureFTPD decoder, since the second dash in the Apache web log entry qualifies as a \S (character that is not a space).

Also, since the PureFTPD decoder appears first in the local_decoder.xml for OSSEC, the Apache web logs are then being processed by the PureFTPD rules (before they can hit the Apache web log decoder), so the various web related rules are not being used to process the Apache web logs.

After commenting out the PureFTPD decoder and rules in the configuration files for OSSEC, I finally have the correct decoding and rules processing for my Apache web logs:

**Phase 1: Completed pre-decoding.
 full event: '169.235.114.5 - - [30/Apr/2014:14:58:40 -0700] "POST /wordpress/wp-login.php HTTP/1.1" 200 1448 "https://www.ocabj.net/wordpress/wp-login.php" "Mozilla/5.0 (iPad; CPU OS 7_1_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D201 Safari/9537.53"'
 hostname: 'zion'
 program_name: '(null)'
 log: '169.235.114.5 - - [30/Apr/2014:14:58:40 -0700] "POST /wordpress/wp-login.php HTTP/1.1" 200 1448 "https://www.ocabj.net/wordpress/wp-login.php" "Mozilla/5.0 (iPad; CPU OS 7_1_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D201 Safari/9537.53"'

**Phase 2: Completed decoding.
 decoder: 'web-accesslog'
 srcip: '169.235.114.5'
 url: '/wordpress/wp-login.php'
 id: '200'

**Phase 3: Completed filtering (rules).
 Rule id: '31509'
 Level: '3'
 Description: 'CMS (WordPress or Joomla) login attempt.'

**Alert to be generated.

The output above is for the same log line that was processed by OSSEC with PureFTPD decoding enabled. Notice how it properly decoded the web log entry and caught it as a ‘CMS (WordPress or Joomla) login attempt.’

This appears to be a new issue with OSSEC 2.7.1 because 2.7.0 did not have the PureFTPD decoder and ruleset.

I think the better ‘solution’ than to comment out the PureFTPD related decoder and rules is to actually fix the regexp for that specific decoder. But since I don’t use PureFTPD on my local instance of OSSEC, I’ll settle for this workaround.

Note that while I didn’t notice it until after I redeployed to a new VPS, my OSSEC deployment wasn’t processing the Apache web logs before that, either. I had upgraded OSSEC from 2.7.0 to 2.7.1 on my old VPS instance a few days prior to my full VPS migration.

Follow Jonathan Ocab:
Owner and administrator of ocabj.net
Latest posts from

Comment on this post

This site uses Akismet to reduce spam. Learn how your comment data is processed.