Installed as usual. Then it was merely a matter of adding the log files (access.log and error.log) from my nginx site into the ossec.cfg configuration file. Recent versions from 2.3 upwards to the latest (2.5.1) are able to parse nginx logs.

I was not sure on the log_format parameter, so I left it as syslog. Started up ossec and proceed to pound my web server with a Nikto Scan. Anyone who has used Nikto and taken a peak the access.log of your web server knows that it is a very noisy testing tool. That noise is great when you want to test a new ossec.net install. Emails were firing from ossec alerting me to fact that my site was being scanned.

Rule: 31151 fired (level 10) -> “Mutiple web server 400 error codes from same source ip.”
Portion of the log(s):

209.x.x.7 – - [06/Feb/2011:23:39:46 +0000] “GET /d9jH9IhB.EXE HTTP/1.1″ 404 20398 “-” “Mozilla/4.75 (Nikto/@Version) (Evasions:None) (Test:map_codes)”
209.x.x.7 – - [06/Feb/2011:23:39:46 +0000] “GET /d9jH9IhB.password HTTP/1.1″ 404 20398 “-” “Mozilla/4.75 (Nikto/@Version) (Evasions:None) (Test:map_codes)”
–snip–

And others like this…

OSSEC HIDS Notification.
2011 Feb 06 23:41:45

Received From: li242-18->/var/log/nginx/hackertarget.com/access.log
Rule: 31153 fired (level 10) -> “Multiple common web attacks from same souce ip.”
Portion of the log(s):

209.20.68.7 – - [06/Feb/2011:23:41:44 +0000] “GET /nsn/..%5Cutil/set.bas HTTP/1.1″ 404 20398 “-” “Mozilla/4.75 (Nikto/@Version) (Evasions:None) (Test:000379)”
209.20.68.7 – - [06/Feb/2011:23:41:43 +0000] “GET /nsn/..%5Cutil/send.bas HTTP/1.1″ 404 20398 “-” “Mozilla/4.75 (Nikto/@Version) (Evasions:None) (Test:000378)”
209.20.68.7 – - [06/Feb/2011:23:41:43 +0000] “GET /nsn/..%5Cutil/ren.bas HTTP/1.1″ 404 20398 “-” “Mozilla/4.75 (Nikto/@Version) (Evasions:None) (Test:000377)”
209.20.68.7 – - [06/Feb/2011:23:41:43 +0000] “GET /nsn/..%5Cutil/rd.bas HTTP/1.1″ 404 20398 “-” “Mozilla/4.75 (Nikto/@Version) (Evasions:None) (Test:000376)”
–snip–

This highlights how easy it is to test your intrusion detection capability. If you run a serious website, you really should have something in place that will alert you to this sort of noisy scanning. So get on with it and start testing your IDS / IPS. It’s easy and free at HackerTarget.com.

Enjoy the web scanning from the leading open source web scanning tool.

Head over to Cirt.net for full details.

Go here for a full run down on the new features.

Or here for some comprehensive documentation.

We are currently testing the new release before adding it to the HackerTarget.com scan suite.