Tag Archives: ossec

OSSEC rule for the PHP-CGI vulnerability

I am seeing many scans for the PHP-CGI vulnerability in the wild and put up a quick OSSEC rule to detect/block those: <rule id=”31110″ level=”6″> <if_sid>31100</if_sid> <url>?-d|?-s|?-a|?-b|?-w</url> <description>PHP CGI-bin vulnerability attempt.</description> <group>attack,</group> </rule>   It looks for the possibly dangerous … Continue reading

Posted in ossec, webattacks | Tagged , , | Leave a comment

Database Logging (PostgreSQL and MySQL)

Nobody cares about database logging, but I really recommend enabling them to see what is happening behind the scenes (specially for web applications). To enable on PostgreSQL (and be compatible with OSSEC): # Adding the timestamp, hostname and database. log_line_prefix … Continue reading

Posted in log analysis, ossec | Tagged , , , | Leave a comment

3WoO: Alerting on DNS (IP Address) changes

If you keep your DNS outside and you can’t monitor the zone files directly, a nice way to make sure the integrity of your DNS is intact is by checking remotely that it hasn’t been changed. With OSSEC, you can … Continue reading

Posted in ossec, v27 | Tagged , | 1 Comment

Detecting outdated (web) applications with OSSEC

For the last few days I started working (again) on the system auditing module for OSSEC and one thing that can make it more useful is to detect outdated applications (specially web apps). Things like WordPress, Joomla, Wikis and others … Continue reading

Posted in log analysis, v27, webattacks | Tagged , | 9 Comments

OSSEC v2.6 is out!

OSSEC v2.6 was just released (finally :)) and you can get more details here: http://www.ossec.net/main/ossec-v2-6-released We are very happy to announce the availability of OSSEC version 2.6. This has been a long release cycle, but it is here now with … Continue reading

Posted in ossec, v2.6 | Tagged , | 3 Comments