packages: ossec-hids/asl_rules.xml (NEW), ossec-hids/asl-shun.pl (NEW), oss...

marti marti at pld-linux.org
Mon Apr 18 14:41:37 CEST 2011


Author: marti                        Date: Mon Apr 18 12:41:37 2011 GMT
Module: packages                      Tag: HEAD
---- Log message:
- initial version of ossec-hids, PLDized from RHEL, buildable, but needs review in case of TODO in SPEC

---- Files affected:
packages/ossec-hids:
   asl_rules.xml (NONE -> 1.1)  (NEW), asl-shun.pl (NONE -> 1.1)  (NEW), authpsa_rules.xml (NONE -> 1.1)  (NEW), courier-imap-rules.patch (NONE -> 1.1)  (NEW), decoder-asl.patch (NONE -> 1.1)  (NEW), denyhosts-decoder.patch (NONE -> 1.1)  (NEW), disable-psql.patch (NONE -> 1.1)  (NEW), firewall-drop-update.patch (NONE -> 1.1)  (NEW), ossec-client-conf.patch (NONE -> 1.1)  (NEW), ossec-client-init.patch (NONE -> 1.1)  (NEW), ossec-configure (NONE -> 1.1)  (NEW), ossec-hids-find-requires (NONE -> 1.1)  (NEW), ossec-hids.init (NONE -> 1.1)  (NEW), ossec-hids.logrotate (NONE -> 1.1)  (NEW), ossec-hids-server-reload.patch (NONE -> 1.1)  (NEW), ossec-hids.spec (NONE -> 1.1)  (NEW), ossec-hids.spec~ (NONE -> 1.1)  (NEW), smtp_auth-decoder.patch (NONE -> 1.1)  (NEW), syslog_rules.patch (NONE -> 1.1)  (NEW), zabbix-alert.sh (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: packages/ossec-hids/asl_rules.xml
diff -u /dev/null packages/ossec-hids/asl_rules.xml:1.1
--- /dev/null	Mon Apr 18 14:41:37 2011
+++ packages/ossec-hids/asl_rules.xml	Mon Apr 18 14:41:31 2011
@@ -0,0 +1,399 @@
+<!-- 
+  -  Official rules for ASL
+  -  Author: Scott R. Shinn
+  -  License: http://www.ossec.net/en/licensing.html
+  -->
+
+
+<!-- ASL mod_security -->
+
+<group name="modsecurity,">
+  <rule id="60100" level="0">
+    <decoded_as>modsecurity-errorlog</decoded_as>
+    <description>Apache messages grouped.</description>
+  </rule>    
+
+  <rule id="60101" level="0">
+    <if_sid>60100</if_sid>
+    <match>^[modsecurity] </match>
+    <description>Apache error messages grouped.</description>
+  </rule>
+
+  <!-- Mod security rules by <ossec ( at ) sioban.net -->
+  <rule id="60118" level="7">
+    <if_sid>60101</if_sid>
+    <match>Access denied</match>
+    <description>Access attempt blocked by Mod Security.</description>
+    <group>access_denied,</group>
+  </rule>
+
+  <rule id="60119" level="12" frequency="6" timeframe="120">
+    <if_matched_sid>60118</if_matched_sid>
+    <same_source_ip />
+    <description>Multiple attempts blocked by Mod Security.</description>
+    <group>access_denied,</group>
+  </rule>
+
+  <rule id="60121" level="7">
+    <if_sid>60101</if_sid>
+    <match>CRITICAL</match>
+    <description>Critical alert by Mod Security.</description>
+    <group>access_denied,</group>
+  </rule>
+
+  <rule id="60122" level="6">
+    <if_sid>60101</if_sid>
+    <match>ALERT</match>
+    <description>ALERT by Mod Security.</description>
+    <group>access_denied,</group>
+  </rule>
+
+  <rule id="60123" level="5">
+    <if_sid>60101</if_sid>
+    <match>WARNING</match>
+    <description>WARNING by Mod Security.</description>
+    <group>access_denied,</group>
+  </rule>
+
+  <rule id="60124" level="3">
+    <if_sid>60101</if_sid>
+    <match>NOTICE</match>
+    <description>NOTICE by Mod Security.</description>
+    <group>access_denied,</group>
+  </rule>
+
+<!-- http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html -->
+  <rule id="60125" level="4">
+    <if_sid>60101</if_sid>
+    <match>400</match>
+    <description>Bad Request</description>
+  </rule>
+
+  <rule id="60126" level="5">
+    <if_sid>60101</if_sid>
+    <match>401</match>
+    <description>HTTP Authorization failed</description>
+    <group>access_denied,</group>
+  </rule>
+
+  <rule id="60127" level="5">
+    <if_sid>60101</if_sid>
+    <match>402</match>
+    <description>Payment Required </description>
+    <group>access_denied,</group>
+  </rule>
+
+  <rule id="60128" level="5">
+    <if_sid>60101</if_sid>
+    <match>403</match>
+    <description>Forbidden</description>
+    <group>access_denied,</group>
+  </rule>
+
+  <rule id="60129" level="5">
+    <if_sid>60101</if_sid>
+    <match>404</match>
+    <description>File Not Found</description>
+    <group>access_denied,</group>
+  </rule>
+
+  <rule id="60130" level="5">
+    <if_sid>60101</if_sid>
+    <match>405</match>
+    <description>Method Not Allowed</description>
+    <group>access_denied,</group>
+  </rule>
+
+<!-- 406
+ The resource identified by the request is only capable of generating response entities which have content characteristics not acceptable according to the accept headers sent in the request.
+
+Unless it was a HEAD request, the response SHOULD include an entity containing a list of available entity characteristics and location(s) from which the user or user agent can choose the one most appropriate. The entity format is specified by the media type given in the Content-Type header field. Depending upon the format and the capabilities of the user agent, selection of the most appropriate choice MAY be performed automatically. However, this specification does not define any standard for such automatic selection.
+
+      Note: HTTP/1.1 servers are allowed to return responses which are
+      not acceptable according to the accept headers sent in the
+      request. In some cases, this may even be preferable to sending a
+      406 response. User agents are encouraged to inspect the headers of
+      an incoming response to determine if it is acceptable.
+
+If the response could be unacceptable, a user agent SHOULD temporarily stop receipt of more data and query the user for a decision on further actions. 
+-->
+  <rule id="60131" level="5">
+    <if_sid>60101</if_sid>
+    <match>406</match>
+    <description>Not Acceptible</description>
+    <group>access_denied,</group>
+  </rule>
+
+  <rule id="60132" level="5">
+    <if_sid>60101</if_sid>
+    <match>407</match>
+    <description>Proxy Authentication Required</description>
+    <group>access_denied,</group>
+  </rule>
+
+  <rule id="60133" level="5">
+    <if_sid>60101</if_sid>
+    <match>408</match>
+    <description>Request Timeout</description>
+    <group>access_denied,</group>
+  </rule>
+
+<!--
+ The request could not be completed due to a conflict with the current state of the resource. This code is only allowed in situations where it is expected that the user might be able to resolve the conflict and resubmit the request. The response body SHOULD include enough information for the user to recognize the source of the conflict. Ideally, the response entity would include enough information for the user or user agent to fix the problem; however, that might not be possible and is not required.
+
+Conflicts are most likely to occur in response to a PUT request. For example, if versioning were being used and the entity being PUT included changes to a resource which conflict with those made by an earlier (third-party) request, the server might use the 409 response to indicate that it can't complete the request. In this case, the response entity would likely contain a list of the differences between the two versions in a format defined by the response Content-Type.
+10.4.11
+-->
+  <rule id="60134" level="5">
+    <if_sid>60101</if_sid>
+    <match>409</match>
+    <description>Conflict</description>
+    <group>access_denied,</group>
+  </rule>
+
+  <rule id="60135" level="5">
+    <if_sid>60101</if_sid>
+    <match>410</match>
+    <description>Gone</description>
+    <group>access_denied,</group>
+  </rule>
+
+  <rule id="60136" level="5">
+    <if_sid>60101</if_sid>
+    <match>411</match>
+    <description>Length Required</description>
+    <group>access_denied,</group>
+  </rule>
+
+  <rule id="60137" level="5">
+    <if_sid>60101</if_sid>
+    <match>412</match>
+    <description>Precondition Failed</description>
+    <group>access_denied,</group>
+  </rule>
+
+
+  <rule id="60138" level="5">
+    <if_sid>60101</if_sid>
+    <match>413</match>
+    <description>Request Entity Too Large</description>
+    <group>access_denied,</group>
+  </rule>
+
+  <rule id="60139" level="5">
+    <if_sid>60101</if_sid>
+    <match>414</match>
+    <description>Request URI Too long</description>
+    <group>access_denied,</group>
+  </rule>
+
+
+  <rule id="60140" level="5">
+    <if_sid>60101</if_sid>
+    <match>415</match>
+    <description>Unspported Media Type</description>
+    <group>access_denied,</group>
+  </rule>
+
+  <rule id="60141" level="5">
+    <if_sid>60101</if_sid>
+    <match>416</match>
+    <description>Requested range not satisfied</description>
+    <group>access_denied,</group>
+  </rule>
+
+
+  <rule id="60142" level="5">
+    <if_sid>60101</if_sid>
+    <match>417</match>
+    <description>Expectation Failed</description>
+    <group>access_denied,</group>
+  </rule>
+
+
+
+</group> <!-- ERROR_LOG,APACHE -->
+
+
+
+<!-- ASL PAM, Syslog -->
+
+<!-- TODO: Suppress getaddrinfo  (may be done already)
+
+** Alert 1225464463.121226: - syslog,sshd,
+2008 Oct 31 10:47:43 www2->/var/log/secure
+Rule: 5702 (level 5) -> 'Reverse lookup error (bad ISP or attack).'
+Src IP: 203-113-116-60.totisp.net
+User: (none)
+Oct 31 10:47:43 www2 sshd[30741]: reverse mapping checking getaddrinfo for 203-1
+13-116-60.totisp.net failed - POSSIBLE BREAKIN ATTEMPT!
+-->
+
+<!-- TODO: Yum install
+2008 Nov 03 12:55:50 c5-central->/var/log/messages
+Rule: 59997 (level 3) -> '(null)'
+Src IP: (none)
+User: (none)
+Nov  3 12:55:50 c5-central yum: Installed: qgreylist - 0.3-3.el5.art.i386
+
+-->
+
+<!-- Suppress greylist 
+** Alert 1225746585.108255: mail  - syslog,errors,
+2008 Nov 03 16:09:45 ac3->/var/log/maillog
+Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
+Src IP: (none)
+User: (none)
+Nov  3 16:09:44 ac3 greylist[23153]: IP 199.125.85.46 new - temp error
+
+-->
+
+<!-- Suppress error unknown alert error message -->
+<group name="syslog,errors"> 
+  
+  <!-- Greylist messages -->
+  <rule id="59997" level="0" >
+    <match>new - temp error</match>
+    <description>Greylisting: Temporary delay</description>
+  </rule>
+
+  <rule id="59998" level="0" >
+    <match>back too soon - temp error again</match>
+    <description>Greylisting: Back too soon</description>
+  </rule>
+
+
+  <!-- PAM messages -->
+  <rule id="59999" level="1">
+    <match>error retrieving information about user</match>
+    <description> PAM: error retrieving information about user</description>
+  </rule>
+
+  <!-- ASL stack test messages -->
+  <rule id="60000" level="0">
+    <match> anonmap</match>
+    <description> ASL stack testing tool anonmap</description>
+  </rule>
+
+  <!-- ASL stack test messages -->
+  <rule id="60001" level="0">
+    <match> execbss</match>
+    <description> ASL stack testing tool execbss</description>
+  </rule>
+
+  <!-- ASL stack test messages -->
+  <rule id="60002" level="0">
+    <match> execdata</match>
+    <description> ASL stack testing tool execdata</description>
+  </rule>
+
+  <!-- ASL stack test messages -->
+  <rule id="60003" level="0">
+    <match> execheap</match>
+    <description> ASL stack testing tool execheap</description>
+  </rule>
+
+  <!-- ASL stack test messages -->
+  <rule id="60004" level="0">
+    <match> execstack</match>
+    <description> ASL stack testing tool execstack</description>
+  </rule>
+
+  <!-- ASL stack test messages -->
+  <rule id="60005" level="0">
+    <match> shlibbss</match>
+    <description> ASL stack testing tool shlibbss</description>
+  </rule>
+
+  <!-- named connection refused resolving -->
+  <rule id="60006" level="0">
+    <match> connection refused resolving</match>
+    <description> named error when it attempts to resolve from a host this is refusing connections</description>
+  </rule>
+
+  <!-- proftp chroot error -->
+  <rule id="60007" level="0">
+    <program_name>proftpd</program_name>
+    <match>error retrieving information about user 0</match>
+    <description> proftp error when chrooting</description>
+  </rule>
+
+  <!-- proftp chroot error -->
+  <rule id="60008" level="0">
+    <program_name>proftpd</program_name>
+    <match>Unable to open config file: /etc/security/pam_env.conf: No such file or directory</match>
+    <description> proftp error when chrooting</description>
+  </rule>
+
+  <!-- proftp chroot error -->
+  <rule id="60009" level="0">
+    <program_name>proftpd</program_name>
+    <match>Deprecated pam_stack module called from service</match>
+    <description> proftp error when chrooting</description>
+  </rule>
+
+  <!-- ASL stack test messages -->
+  <rule id="60010" level="0">
+    <match>writetext</match>
+    <description> ASL stack testing tool writetext</description>
+  </rule>
+
+</group>
+
+<group name="syslog,denyhosts,">
+  <rule id="60800" level="0">
+    <decoded_as>denyhosts</decoded_as>
+    <description>Grouping for the Denyhosts rules.</description>
+  </rule>
+
+  <rule id="60801" level="7">
+    <if_sid>60800</if_sid>
+    <match>Added</match>
+    <description>SSH brute force attack detected.</description>
+  </rule>
+</group>
+
+
+<group name="syslog,smtpauth,">
+  <rule id="60900" level="0">
+    <decoded_as>smtpauth</decoded_as>
+    <description>Grouping for the smtpauth rules.</description>
+  </rule>
+
+  <rule id="60901" level="1">
+    <if_sid>60900</if_sid>
+    <match>SMTP connect</match>
+    <description>SMTP auth connection</description> 
+    <group>connection_attempt,</group>
+  </rule>
+   
+  <rule id="60902" level="1">
+    <if_sid>60900</if_sid>
+    <match>SMTP user</match>
+    <description>SMTP auth authentication success.</description> 
+    <group>authentication_success,</group>
+  </rule>
+
+  <rule id="60903" level="5">
+    <if_sid>60900</if_sid>
+    <match>^LOGIN FAILED,|FAILED:|LOGIN FAILED</match>
+    <description>smtp_auth authentication failed.</description>
+    <group>authentication_failed,</group>
+  </rule>
+
+  <rule id="60910" level="10" frequency="10" timeframe="60">
+    <if_matched_sid>60903</if_matched_sid>
+    <same_source_ip />
+    <description>Multiple authentication failures from same source.</description>
+    <group>authentication_failures,</group>
+  </rule>
+
+
+
+</group>
+
+
+
+
+<!-- EOF -->
+

================================================================
Index: packages/ossec-hids/asl-shun.pl
diff -u /dev/null packages/ossec-hids/asl-shun.pl:1.1
--- /dev/null	Mon Apr 18 14:41:37 2011
+++ packages/ossec-hids/asl-shun.pl	Mon Apr 18 14:41:31 2011
@@ -0,0 +1,319 @@
+#!/usr/bin/perl -w
+
+# $Revision$
+# $Source$
+# %Location: /usr/local/sbin/
+# %Servers:  brave
+
+# script to take ip# hit by rules in apache mod_security
+# and feed them to iptables to ban access to port 80 (http)
+
+
+# BAN-HACKERS.PL written by Stanislaw Polak
+# http://www.icsr.agh.edu.pl/~polak/
+# 30 Nov 2006
+#
+# Copyright (c) 2006 Stanislaw Polak
+# Unpublished work.
+# Permission granted to use and modify this script so long as the
+# copyright above is maintained, modifications are documented, and
+# credit is given for any use of the script.
+#
+# For more information, see:
+# http://www.icsr.agh.edu.pl/~polak/skrypty/ban-hackers.var    
+#
+#Version 1.03 (7 Apr 2008) 
+#            Some modifications made by Dan MacNeil
+#Version 1.02 (24 Jan 2007)
+#	Locking was added	
+#Version 1.01 (27 Dec 2006)
+#		Problems with deleting a few the same rules has been fixed
+#Version 1.0 (30 Nov 2006)
+#             The first public version
+
+# ASL: reload check
+if ( -e "/var/ossec/var/ossec.reload" ) {
+  exit;
+}
+
+
+use DBI;
+use strict;
+use Fcntl qw (:flock);
+
+
+my($ip,$dbh,$standard_period,$nonstandard_period,$max_elements,%whitelist,$dbname,$rule);
+
+
+######################################################################################################
+# $standard_period    | elements which were added $standard_period seconds ago or ealier can be purged
+######################################################################################################
+# $max_elements       | when number of elements in the database exceedes $max_elements, elements
+# $nonstandard_period | which were added $nonstandard_period seconds ago or ealier can be purged
+######################################################################################################
+
+# %whitelist          | hosts listed in %whitelist are never added to the database
+######################################################################################################
+# $dbname             | data are stored in the "$dbname" database
+######################################################################################################
+$standard_period=5*24*60*60;  #120 hours
+$nonstandard_period=24*60*60; #24 hours
+$max_elements=2000; 
+%whitelist=(
+	    "127.0.0.1"=>0,
+	    "0.0.0.0"=>0
+	    );
+$dbname="/var/ossec/var/blocklist.sqlite";
+############## open lock file ##############
+my $lock_file = '/var/ossec/var/blocklist.lock'; 
+open LOCKFILE, "<$lock_file"  or open LOCKFILE, ">>$lock_file" or warn "Cannot open $lock_file";
+######################################################################################################
+
+
+
+#$ip=$ENV{HTTP_X_FORWARDED_FOR};
+$ip=$ENV{REMOTE_ADDR};
+
+
+$dbh=&open_db;
+#is script executed without arguments
+if($#ARGV==-1 && $ip) { #add actual IP to the database
+  # the script you execute must write something (anything) to stdout. 
+  # If it doesn't ModSecurity will assume execution didn't work
+  # If you write something to stdout cron will email it to you
+  # so don't do that if running from cron and not ModSecurity
+  print "\t.\n"; 
+
+    # if connection was via proxy, address contains a list of client's IP
+    # and proxies' IP - hacker's IP will be IP of last proxy
+    my @ips=split(',',$ip); #the above addresses (elements of the list) are separated by "," 
+    $ip=$ips[$#ips]; #hacker's IP is the last IP from the list 
+    $ip =~s/^ *//;#Remove leading spaces:
+    flock(LOCKFILE, LOCK_EX);
+    if( !exists $whitelist{$ip} && !hacker_exists($dbh,$ip)){    #check if actual IP exists on the whitelist or in the database
+	&add_hacker_db($dbh,$ip,time); #add hacker's IP if it doesn't exists yet
+    }
+    flock(LOCKFILE, LOCK_UN);
+}
+
+# Executed with the "add" argument (OSSEC)
+elsif($ARGV[0] eq "add"){      #add the content of a database to iptables
+  #$user=$ARGV[1];
+  $ip=$ARGV[2];
+  #$timestamp=$ARGV[3];
+  $rule=$ARGV[4];
+
+  # Add to DB
+  flock(LOCKFILE, LOCK_EX);
+  if( !exists $whitelist{$ip} && !hacker_exists($dbh,$ip)){    #check if actual IP exists on the whitelist or in the database
+    &add_hacker_db($dbh,$ip,time,$rule); #add hacker's IP if it doesn't exists yet
+  }
+  flock(LOCKFILE, LOCK_UN);
+
+  # Shun 
+  flock(LOCKFILE, LOCK_EX);
+  &add_hacker_iptables($dbh);
+  flock(LOCKFILE, LOCK_UN);
+
+}
+elsif($ARGV[0] eq "delete"){      #add the content of a database to iptables
+    $ip=$ARGV[2];
+    flock(LOCKFILE, LOCK_EX);
+    &delete($dbh,$ip);
+    flock(LOCKFILE, LOCK_UN);
+
+}
+
+
+#when script is executed with the "purge" argument
+elsif($#ARGV==0 && $ARGV[0] eq "purge"){    #purge the content of the database
+    flock(LOCKFILE, LOCK_EX);
+    &purge($dbh);
+    flock(LOCKFILE, LOCK_UN);
+}
+#when script is executed with the "load" argument
+elsif($#ARGV==0 && $ARGV[0] eq "load"){      #add the content of a database to iptables
+    flock(LOCKFILE, LOCK_EX);
+    &add_hacker_iptables($dbh);
+    flock(LOCKFILE, LOCK_UN);
+}
+#when script is executed with the "list" argument
+elsif($#ARGV==0 && $ARGV[0] eq "list"){     #list the content of the database
+    flock(LOCKFILE, LOCK_SH);
+    my $query = qq{select * from hackers};
+    my $sth= $dbh->prepare($query);
+    $sth->execute;
+    print "IP        \tTimestamp\tRule \n",'-' x 40,"\n";
+    while (my (@data) = $sth->fetchrow_array) {
+	my $time = localtime($data[1]);
+        print "$data[0]\t $time\t $data[2]\n";
+    }
+    flock(LOCKFILE, LOCK_UN);
+}
+$dbh->disconnect;
+close LOCKFILE or die "Cannot close $lock_file";
+###############################################################################
+###############################################################################
+# opens a database and creates the "hackers" table  if it wasn't created ealier
+sub open_db{
+    my $dbh = DBI->connect("dbi:SQLite:dbname=$dbname","","") or die "Database connection not made: $DBI::errstr";
+    if (! table_exists( $dbh, "hackers")) { #if the "hackers" table doesn't exists
+	my $create_query = qq{     
+	    create table hackers (
+				  ip text unique,
+				  time integer not null,
+				  rule integer
+				  )
+	    };
+        $dbh->do( $create_query );          #create it
+    }
+    return $dbh;   #return a handler to the database
+}
+
+###############################################################################
+# add the IP and time stamp to the "hackers" database
+sub add_hacker_db{
+    my $dbh= shift;
+    my $ip = shift;
+    my $time = shift;
+    my $rule = shift;
+
+    my @fields = (qw(ip time rule));
+    my $fieldlist = join ", ", @fields;
+    my $field_placeholders = join ", ", map {'?'} @fields;
+    my $insert_query = qq{
+        INSERT INTO hackers ( $fieldlist )
+	    VALUES ( $field_placeholders )};
<<Diff was trimmed, longer than 597 lines>>


More information about the pld-cvs-commit mailing list