As mentioned in previous posts my web server has moved to a Nginx environment. Being a fan of the ossec host based intrusion detection software (hids) of course I had to add it the new host.
Installed as usual. Then it was merely a matter of adding the log files (access.log and error.log) from my nginx site into the ossec.cfg configuration file. Recent versions from 2.3 upwards to the latest (2.5.1) are able to parse nginx logs.
I was not sure on the log_format parameter, so I left it as syslog. Started up ossec and proceed to pound my web server with a Nikto Scan. Anyone who has used Nikto and taken a peak the access.log of your web server knows that it is a very noisy testing tool. That noise is great when you want to test a new ossec.net install. Emails were firing from ossec alerting me to fact that my site was being scanned.
Rule: 31151 fired (level 10) -> “Mutiple web server 400 error codes from same source ip.”
Portion of the log(s):209.x.x.7 – - [06/Feb/2011:23:39:46 +0000] “GET /d9jH9IhB.EXE HTTP/1.1″ 404 20398 “-” “Mozilla/4.75 (Nikto/@Version) (Evasions:None) (Test:map_codes)”
209.x.x.7 – - [06/Feb/2011:23:39:46 +0000] “GET /d9jH9IhB.password HTTP/1.1″ 404 20398 “-” “Mozilla/4.75 (Nikto/@Version) (Evasions:None) (Test:map_codes)”
–snip–
And others like this…
OSSEC HIDS Notification.
2011 Feb 06 23:41:45Received From: li242-18->/var/log/nginx/hackertarget.com/access.log
Rule: 31153 fired (level 10) -> “Multiple common web attacks from same souce ip.”
Portion of the log(s):209.20.68.7 – - [06/Feb/2011:23:41:44 +0000] “GET /nsn/..%5Cutil/set.bas HTTP/1.1″ 404 20398 “-” “Mozilla/4.75 (Nikto/@Version) (Evasions:None) (Test:000379)”
209.20.68.7 – - [06/Feb/2011:23:41:43 +0000] “GET /nsn/..%5Cutil/send.bas HTTP/1.1″ 404 20398 “-” “Mozilla/4.75 (Nikto/@Version) (Evasions:None) (Test:000378)”
209.20.68.7 – - [06/Feb/2011:23:41:43 +0000] “GET /nsn/..%5Cutil/ren.bas HTTP/1.1″ 404 20398 “-” “Mozilla/4.75 (Nikto/@Version) (Evasions:None) (Test:000377)”
209.20.68.7 – - [06/Feb/2011:23:41:43 +0000] “GET /nsn/..%5Cutil/rd.bas HTTP/1.1″ 404 20398 “-” “Mozilla/4.75 (Nikto/@Version) (Evasions:None) (Test:000376)”
–snip–
This highlights how easy it is to test your intrusion detection capability. If you run a serious website, you really should have something in place that will alert you to this sort of noisy scanning. So get on with it and start testing your IDS / IPS. It’s easy and free at HackerTarget.com.
