OSSEC | How to add an exception rule - linux

I have the standard syslog_rules.xml (OSSEC 2.6.0).
This is the standard rule for bad words in the /var/log/messages file:
<var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
.....
<rule id="1002" level="2">
<match>$BAD_WORDS</match>
<options>alert_by_email</options>
<description>Unknown problem somewhere in the system.</description>
</rule>
.....
How can I add or modify this rule that uses $BAD_WORDS, but excludes the auxpropfunc error phrase? That is, something like this:
<match>$BAD_WORDS</match>
<match>!auxpropfunc error</match>
<options>alert_by_email</options>
Any ideas?

Your best option is probably to write a rule to ignore that phrase. You could add something like the following to /var/ossec/rules/local_rules.xml:
<rule id="SOMETHING" level="0">
<if_sid>1002</if_sid>
<match>auxpropfunc error</match>
<description>Ignore auxpropfunc error.</description>
</rule>
You could then run the entire log message through ossec-logtest to see how OSSEC will analyze it. You may need to add another option into this rule, or you may not.

If you have more than one word, you could add something like the following to /var/ossec/rules/local_rules.xml
<var name="GOOD_WORDS">error_reporting|auxpropfunc error</var>
<rule id="100002" level="0">
<if_sid>1002</if_sid>
<match>$GOOD_WORDS</match>
<description>Ignore good_words.</description>
</rule>

Related

Where do I set the maximum query string length?

From an HTTP request with a loooong query string - 2847 in this case -, I got back error 404.15 with the following message:
Überprüfen Sie die Einstellung "configuration/system.webServer/security/requestFiltering/requestLimits#maxQueryString" in der Datei "applicationhost.config" oder "web.config".
In English:
Check the "configuration/system.webServer/security/requestFiltering/requestLimits#maxQueryString" setting in the "applicationhost.config" or "web.config" file.
I did this, by following the documentation and changing the maximum query string length from 2048 to 4096 characters.
Evidently, the above change has had an effect, as the original error message is gone.
Instead, I am now getting another error, still related to the maximum query string length. This time, it comes with HTTP code 400 and says:
Die Länge der Abfragezeichenfolge für die Anforderung überschreitet den konfigurierten maxQueryStringLength-Wert.
In English:
The query string length of the request exceeds the configured maxQueryStringLength value.
Now, I have scanned all *.config files on my entire disks for any occurrences of the substring maxQueryString. There is only one such occurrence in total, and it is the Web.config file for my IIS default website, which says
<requestLimits maxQueryString="4096" />
Hence, something else must be influencing the maximum query length - where else can this setting me configured?
first, make sure you enabled the anonymous authentication in iis:
set below code in web.config file:
<system.web>
<httpRuntime maxUrlLength="10999" maxQueryStringLength="2097151" />
……
</system.web>
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxUrl="10999" maxQueryString="2097151" />
</requestFiltering>
</security>
</system.webServer>
Note: set value a little bit higher than your requirement. above mentioned is just an example.
set this value in the root folder config file. and restart iis after doing changes.

iis reverse proxy rule fail with the same virtual directory

I have two urls,
the first one looks like: localhost1/api/test/2.0/aaa
the second one looks like: localhost2/api/test/3.0/aaa
when using localhost1/api/test/3.0/aaa ,I want rewrite to localhost2/api/test/3.0/aaa.
My rewrite map : original value is localhost1 and new value is localhost2
My inbound rule is api/(.+)/3.0/(.+), url match is https://{C:0}/api/{R:1}/3.0/{R:2}
When I use localhost1/api/test/3.0/aaa
I always get response from localhost1/api/test/2.0/aaa , but I really want is
localhost2/api/test/3.0/aaa
Please tell me how to fix it.
(ps: if using localhost1/api/test2/3.0/aaa , I can get the correct response from localhost2/api/test2/3.0/aaa. ,but exists locahost1/api/test)
Thanks.
As far as I know, the C:0 will match the condition pattern not the inbound pattern. Besides, I found you just write the rule to match the localhost1/api/test/3.0/aaa not the api/test/2.0/aaa.
If you want to let the 2.0 also rewrite to the localhost2, I suggest you could add below url rewrite rule.
<rule name="Teeee">
<match url="api/(.+)/2.0/(.+)" />
<action type="Rewrite" url="https://localhost2/api/{R:1}/2.0/{R:2}" />
</rule>

SlowCheetah transform ignores multiple conditions

I have a WCF configuration file that I am trying to transform with SlowCheetah. For development use, we want to include the MEX endpoints, but when we release the product, these endpoints should be removed on all services except one. The server for which it should be left has the following endpoint:
<endpoint address="MEX"
binding="mexHttpBinding"
contract="IMetadataExchange" />
The ones that should be removed are as follows:
<endpoint address="net.tcp://computername:8001/WCFAttachmentService/MEX"
binding="netTcpBinding"
bindingConfiguration="UnsecureNetTcpBinding"
name="WCFAttachmentServiceMexEndpoint"
contract="IMetadataExchange" />
The transform I am using is:
<service>
<endpoint xdt:Locator="Condition(contains(#address, 'MEX') and not(contains(#binding, 'mexHttpBinding')))" xdt:Transform="RemoveAll" />
</service>
However, when I run this, ALL MEX endpoints are removed from the config file including the one that I wish to keep. How do I make this work properly?
The Locator Condition expression that selects the nodes seems to be correct. If you had only the two endpoints you posted in your example, this expression will select the second endpoint.
According to the documentation the Transform attribute RemoveAll should "remove the selected element or elements." Based on the information you posted it's not working as expected, since the first element was not selected and was removed anyway. Based on this StackOverflow answer it seems to me that the issue is with Condition. I'm not sure if that's a bug (it's poorly documented), but you could try some alternative solutions:
1) Using XPath instead of Condition. The effective XPath expression that is applied to your configuration file as a result of the Condition expression is:
/services/service/endpoint[contains(#address, 'MEX') and not(contains(#binding, 'mexHttpBinding'))]
You should also obtain the same result using the XPath attribute instead of Condition:
<endpoint xdt:Locator="XPath(/services/service/endpoint[contains(#address, 'MEX')
and not(contains(#binding, 'mexHttpBinding'))])" xdt:Transform="RemoveAll" />
2) Using Match and testing an attribute such as binding. This is a simpler test, and would be IMO the preferred way to perform the match. You could select the nodes you want to remove by the binding attribute
<endpoint binding="netTcpBinding" xdt:Locator="Match(binding)" xdt:Transform="RemoveAll" />
3) UsingXPath instead of Match in case you have many different bindings and only want to eliminate only those which are not mexHttpBinding:
<endpoint xdt:Locator="XPath(/services/service/endpoint[not(#binding='mexHttpBinding'))" xdt:Transform="RemoveAll" />
4) Finally, you could try using several separate statements with Condition() or Match() to individually select the <endpoint> elements you wish to remove, and use xdt:Transform="Remove" instead of RemoveAll.

XSL-FO conditional-page-master-reference keeps rendering 2+ pages using last page master

I have this layout-master-set definition:
<fo:layout-master-set>
<fo:simple-page-master master-name="all-pages" page-width="210mm" page-height="297mm" margin="20mm 20mm 0mm 20mm" >
<fo:region-body margin-top="25mm" margin-bottom="35mm" />
<fo:region-before extent="20mm" />
<fo:region-after extent="30mm" />
</fo:simple-page-master>
<fo:simple-page-master master-name="last-page" page-width="210mm" page-height="297mm" margin="20mm 20mm 0mm 20mm" >
<fo:region-body margin-top="25mm" margin-bottom="115mm" />
<fo:region-before extent="20mm" />
<fo:region-after extent="110mm" region-name="region-last-page" />
</fo:simple-page-master>
<fo:page-sequence-master master-name="pages">
<fo:repeatable-page-master-alternatives>
<fo:conditional-page-master-reference page-position="last" master-reference="last-page"/>
<fo:conditional-page-master-reference page-position="any" master-reference="all-pages"/>
</fo:repeatable-page-master-alternatives>
</fo:page-sequence-master>
</fo:layout-master-set>
As you can see, I want the last page to render a much bigger region-after, but instead I get the large region-after on all pages after the first, and the all-pages master is only used for the first page?
Does anyone see a problem with that configuration?
PS: using Fop 0.20.5
The configuration looks okay. But you should give all regions a name to remove ambiguity.
The fo:page-sequence-master is correctly defined, the problem is the FOP version you are using: 0.20.5 dates back to 2003 (!) and had several bugs and missing features.
At the moment the latest released version is 1.1, which creates the pages as expected.
Disclosure: I am a FOP developer (although I haven't been very active for years).

How can I pull out the values for rewriteMaps and GlobalRules in applicationHost.config with PowerShell?

I am dealing with a large amount of redirects in our applicationHost.config file, basically I want to read the redirect rules and pull out the XML information for the rules so I can get the redirects URLs for review. Since we have a large set of redirect rules in our IIS 7.5 instance, put in using the URLRewrite Feature for IIS .
I want to export a listing of the rules we have in place, and since the applicationHost.config is XML using PowerShell 2.0 (I can't use 3.0 where I am yet) I should be able to just go through the nodes and pull them out. Simple I thought until I tried to get anything under the sectionGroup system.webServer and when I try to pull out that node I can't get any values to appear.
When looking at the config file a basic rule is structured (as per the links to Microsoft above):
<rule name="Administration Redirection" enabled="true" stopProcessing="true">
<match url="^administration[/]?.*" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<action type="Redirect" url="http://www.mysite.fake/{R:0}" />
</rule>
Basically I have the intent to do something like the following:
[xml]$redirectXML = Get-Content $redirectFile
$redirectXML | % {$_.configuration.system.webServer.rewrite.rewriteMaps}
Where I want to get the rewriteMap key & value, so I have those redirects and can pull out the key and the redirected URL from the rules like this:
$redirectXML | % {$_.configuration.system.webServer.rewrite.globalRules.rule}
Here I want to link up the values in the and which will get me the majority of our redirect URLs.
It looked like the system.webServer is messing up the nodes somehow, since it has the . in the name. An option that seemed to be available was using configuration.configSections since that shows the sectionGroups, one of them is system.webServer, but I haven't figured out how to get the nodes in the right format to pull out the section I want.
Is there a way to do this, or a better way than trying to use the Get-Content? I've done other XML files in that before and while I have seen some other PowerShell script for applicationHost.config most are for adding, all I want to do is extract a couple of nodes.
Thanks for any help or pointers.
EDIT: So while still looking around I found out I can get past system.webServer by using " marks around it. Like so:
$redirectXMl.configuration."system.webServer".rewrite.rewriteMaps.rewriteMap.add
This gets me the Rewrite Maps in a nice sort of table of key, value pairs. Now I still need to get the GlobalRules. I can get each Rule with the following:
$redirectXMl.configuration."system.webServer".rewrite.globalRules.rule
which displays:
name : Campaign Redirect
enabled : true
stopProcessing : true
match : match
conditions : conditions
action : action
But then I need to pull out the values for match and action, not there yet.
After some work through the XMl, and finding some other answers that pointed me in the right direction I ended up with the following script. It could probably be cleaner but basically I was looking to pull out the portion of the applicationHost.config that handles the rewrites/redirects so I can manage the 100 or so we deal with on our site. It's hard to keep track of them on a different document so I wanted the ability to pull out what I wanted at any time.
This is in PowerShell v2.0, which is what we use for scripting. Comments mostly included to give an idea of what I am doing.
# Get the path and name of the redirect file, the
# ApplicationHost.Config file
Param([string]$redirectFile)
# Constants that will be necessary
[string]$redirListDir = $null
# Using a CSV to make it simpler to reorder
[string]$redirectList = "redirectList.csv"
# Check that we have a file to pull redirects from
if ( ($redirectFile -eq $null) -or ($redirectFile -eq "")) {
"Hey, you need to give a file to check. Make sure its the path including the name "
"of the applicationHost.config that needs to be checked. Try something like "
".\redirectReview.ps1 C:\FileLocation\applicationHost.config"
"Thank you!"
exit
}
# Check that we have a place to put the file at the end
if(($redirListDir -eq $null) -or ($redirListDir -eq "")) {
if (Test-Path -Path "d:\temp") {
$redirListDir = "d:\temp"
"Using D:\Temp"
} elseif (Test-Path -Path "c:\temp") {
$redirListDir = "c:\temp"
"Using C:\Temp"
} else {
"Cannot find a Temp directory as D:\temp or C:\temp. Create one and try again.`n"
exit
}
}
# Clean up any existing file so we can create a new one
$redirectListFile = Join-Path -Path $redirListDir -ChildPath($redirectList)
if (Test-Path $redirectListFile) {
Remove-Item $redirectListFile -Force
}
# Open the file and put it in an XML format
[xml]$redirectXML = Get-Content $redirectFile
# Review the XML tags
# This gets all the rewrite Map redirects
$rules = $redirectXMl.configuration."system.webServer".rewrite.rewriteMaps.rewriteMap.add
"Now for the Global Rules"
# This gets all the rules that have been added
$redirectUrl = $redirectXMl.configuration."system.webServer".rewrite.globalRules.rule
"Creating the output file"
# Output the claimed values into a CSV file that can be reviewed somewhere
$rules | % {
$a = $_.key + "`t" + $_.value
$a >> $redirectListFile
}
$redirectUrl | % {
$b1 = ($_.match).OuterXML
$b2 = ($_.action).OuterXML
# Probably a better way to handle this but I need to match up the two properties
$b = $b1 + "`t" + $b2
$b >> $redirectListFile
}
# We should be done here

Resources