{"id":4282,"date":"2016-12-02T13:48:12","date_gmt":"2016-12-02T04:48:12","guid":{"rendered":"http:\/\/blog.bitmeister.jp\/?p=4282"},"modified":"2016-12-02T13:48:12","modified_gmt":"2016-12-02T04:48:12","slug":"ossec%e3%81%a7%e5%90%8c%e3%81%98ip%e3%82%a2%e3%83%89%e3%83%ac%e3%82%b9port%e7%95%aa%e5%8f%b7%e3%81%8b%e3%82%89%e3%81%ae%e9%80%a3%e7%b6%9apost%e3%82%92%e6%a4%9c%e7%9f%a5%e3%81%99%e3%82%8b","status":"publish","type":"post","link":"https:\/\/blog.bitmeister.jp\/?p=4282","title":{"rendered":"OSSEC\u3067\u540c\u3058IP\u30a2\u30c9\u30ec\u30b9+Port\u756a\u53f7\u304b\u3089\u306e\u9023\u7d9aPOST\u3092\u691c\u77e5\u3059\u308b"},"content":{"rendered":"<p><a href=\"https:\/\/blog.bitmeister.jp\/?p=4241\">\u524d\u56de\u306e\u8a18\u4e8b<\/a>\u3067\u306f\u540c\u3058IP\u30a2\u30c9\u30ec\u30b9\u304b\u3089\u306e\u9023\u7d9aPOST\u3092\u691c\u77e5\u3059\u308bOSSEC\u306e\u30eb\u30fc\u30eb\u5b9a\u7fa9\u306b\u3064\u3044\u3066\u66f8\u304d\u307e\u3057\u305f\u3002\u4eca\u56de\u306f\u540c\u3058IP\u30a2\u30c9\u30ec\u30b9\u306b\u52a0\u3048\u3066\u3001\u540c\u3058Port\u756a\u53f7\u304b\u3089\u306e\u9023\u7d9aPOST\u3092\u691c\u77e5\u3059\u308b\u5834\u5408\u306b\u3064\u3044\u3066\u66f8\u3053\u3046\u3068\u601d\u3044\u307e\u3059\u3002OSSEC\u306e\u76e3\u8996\u5bfe\u8c61\u30ed\u30b0\u306fApache\u306e\u30a2\u30af\u30bb\u30b9\u30ed\u30b0\u3068\u3057\u307e\u3059\u3002<\/p>\n<p>OSSEC\u3001Apache\u3068OS\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306f\u4ee5\u4e0b\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n<p>OSSEC: 2.8.3<br \/>\nApache: 2.4<br \/>\nOS: Ubuntu 14.04<\/p>\n<p><!--more--><\/p>\n<h3>Apache\u306eLogFormat\u3092\u5909\u66f4\u3059\u308b<\/h3>\n<p>\u540c\u3058Port\u756a\u53f7\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3067\u3042\u308b\u3053\u3068\u3092OSSEC\u304c\u691c\u77e5\u3059\u308b\u305f\u3081\u306b\u306f\u3001Apache\u306e\u30a2\u30af\u30bb\u30b9\u30ed\u30b0\u306bPort\u756a\u53f7\u304c\u51fa\u529b\u3055\u308c\u3066\u3044\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<br \/>\nApache\u306eLogFormat\u3092\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u8a2d\u5b9a\u3057\u305f\u5834\u5408\u3001\u30a2\u30af\u30bb\u30b9\u30ed\u30b0\u306e\u5148\u982d\u306b\u300c\u9001\u4fe1\u5143IP\u30a2\u30c9\u30ec\u30b9:\u9001\u4fe1\u5143Port\u756a\u53f7\u300d(ex. 192.168.0.1:52998)\u304c\u51fa\u529b\u3055\u308c\u307e\u3059\u3002<\/p>\n<pre>LogFormat \"%h:%{remote}p %l %u %t \\\"%r\\\" %&gt;s %O \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" combined\r\n<\/pre>\n<h3>OSSEC\u306e\u30c7\u30b3\u30fc\u30c0\u3092\u5b9a\u7fa9\u3059\u308b<\/h3>\n<p>\u9001\u4fe1\u5143Port\u756a\u53f7\u3092\u51fa\u529b\u3059\u308bApache\u306eLogFormat\u3092OSSEC\u304c\u89e3\u91c8\u3067\u304d\u308b\u3088\u3046\u306b\u30c7\u30b3\u30fc\u30c0\u3092\u5b9a\u7fa9\u3057\u307e\u3059\u3002etc\/decoder.xml \u306b\u5b9a\u7fa9\u3055\u308c\u3066\u3044\u308bApache\u306e\u30a2\u30af\u30bb\u30b9\u30ed\u30b0(NCSA)\u306e\u30c7\u30b3\u30fc\u30c0\u300cweb-accesslog\u300d\u3092\u53c2\u8003\u306b etc\/local_decoder.xml \u306b\u30c7\u30b3\u30fc\u30c0\u3092\u5b9a\u7fa9\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"brush: xml; gutter: false; title: ; notranslate\" title=\"\">\r\n&lt;decoder name=&quot;web-accesslog-custom&quot;&gt;\r\n  &lt;type&gt;web-log&lt;\/type&gt;\r\n  &lt;prematch&gt;^\\d+.\\d+.\\d+.\\d+:\\d+ |^::ffff:\\d+.\\d+.\\d+.\\d+:\\d+ &lt;\/prematch&gt;\r\n  &lt;regex&gt;^(\\d+.\\d+.\\d+.\\d+):(\\d+) \\S+ \\S+ &#x5B;\\S+ \\S\\d+] &lt;\/regex&gt;\r\n  &lt;regex&gt;&quot;\\w+ (\\S+) HTTP\\S+ (\\d+) &lt;\/regex&gt;\r\n  &lt;order&gt;srcip, srcport, url, id&lt;\/order&gt;\r\n&lt;\/decoder&gt;\r\n<\/pre>\n<p>\u30c7\u30b3\u30fc\u30c0\u3092\u5b9a\u7fa9\u3057\u305f\u3089OSSEC\u3092\u518d\u8d77\u52d5\u3057\u307e\u3059\u3002<\/p>\n<p>bin\/ossec-logtest \u3067Apache\u306e\u30a2\u30af\u30bb\u30b9\u30ed\u30b0\u304c\u5b9a\u7fa9\u3057\u305f\u30c7\u30b3\u30fc\u30c0\u3067\u89e3\u91c8\u3055\u308c\u308b\u304b\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"brush: xml; gutter: false; title: ; notranslate\" title=\"\">\r\n# .\/bin\/ossec-logtest \r\n2016\/12\/02 11:48:11 ossec-testrule: INFO: Reading local decoder file.\r\n2016\/12\/02 11:48:11 ossec-testrule: INFO: Started (pid: 17109).\r\nossec-testrule: Type one log per line.\r\n\r\n192.168.0.1:51349 - - &#x5B;02\/Dec\/2016:11:47:51 +0900] &quot;GET \/ HTTP\/1.1&quot; 200 3269 &quot;-&quot; &quot;Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/54.0.2840.98 Safari\/537.36&quot;\r\n\r\n\r\n**Phase 1: Completed pre-decoding.\r\n       full event: '192.168.0.1:51349 - - &#x5B;02\/Dec\/2016:11:47:51 +0900] &quot;GET \/ HTTP\/1.1&quot; 200 3269 &quot;-&quot; &quot;Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/54.0.2840.98 Safari\/537.36&quot;'\r\n       hostname: 'hogehoge'\r\n       program_name: '(null)'\r\n       log: '192.168.0.1:51349 - - &#x5B;02\/Dec\/2016:11:47:51 +0900] &quot;GET \/ HTTP\/1.1&quot; 200 3269 &quot;-&quot; &quot;Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/54.0.2840.98 Safari\/537.36&quot;'\r\n\r\n**Phase 2: Completed decoding.\r\n       decoder: 'web-accesslog-custom'\r\n       srcip: '192.168.0.1'\r\n       srcport: '51349'\r\n       url: '\/'\r\n       id: '200'\r\n<\/pre>\n<p>\u300c**Phase 2: Completed decoding.\u300d\u3092\u898b\u308b\u3068\u3001\u5b9a\u7fa9\u3057\u305f\u30c7\u30b3\u30fc\u30c0\u300cweb-accesslog-custom\u300d\u3067\u89e3\u91c8\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u304c\u5206\u304b\u308a\u307e\u3059\u3002<\/p>\n<h3>OSSEC\u306e\u30eb\u30fc\u30eb\u3092\u5b9a\u7fa9\u3059\u308b<\/h3>\n<p><a href=\"https:\/\/blog.bitmeister.jp\/?p=4241\">\u524d\u56de\u306e\u8a18\u4e8b<\/a>\u3067\u5b9a\u7fa9\u3057\u305f\u30eb\u30fc\u30eb\u306b\u540c\u3058\u9001\u4fe1\u5143Port (same_src_port)\u3068\u3044\u3046\u6761\u4ef6\u3092\u52a0\u3048\u308b\u3068\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<pre class=\"brush: xml; gutter: false; title: ; notranslate\" title=\"\">\r\n&lt;rule id=&quot;100041&quot; level=&quot;10&quot; timeframe=&quot;60&quot; frequency=&quot;3&quot;&gt;\r\n  &lt;if_matched_sid&gt;31530&lt;\/if_matched_sid&gt;\r\n  &lt;url&gt;\/users&lt;\/url&gt;\r\n  &lt;same_source_ip \/&gt;\r\n  &lt;same_src_port \/&gt;\r\n  &lt;description&gt;Multiple login challenge from same source ip.&lt;\/description&gt;\r\n&lt;\/rule&gt;\r\n<\/pre>\n<p>\u300c\/users\u300d\u306b\u4e00\u81f4\u3059\u308bURL\u306b\u5bfe\u3057\u3066\u3001\u540c\u3058IP\u30a2\u30c9\u30ec\u30b9+Port\u756a\u53f7\u304b\u308960\u79d2\u4ee5\u5185\u306b5\u56de\u9023\u7d9aPOST(\u30eb\u30fc\u30ebID 31530\u306f\u300c] \u201cPOST\u300d\u306b\u30de\u30c3\u30c1)\u304c\u3042\u3063\u305f\u5834\u5408\u306b\u691c\u77e5\u3057\u307e\u3059\u3002<\/p>\n<p>\u30eb\u30fc\u30eb\u3092\u5b9a\u7fa9\u3057\u305f\u3089OSSEC\u3092\u518d\u8d77\u52d5\u3057\u307e\u3059\u3002<\/p>\n<p>\u203b\u672c\u8a18\u4e8b\u57f7\u7b46\u6642\u70b9(2016\/12\/9)\u3067<a href=\"http:\/\/ossec.github.io\/docs\/syntax\/head_rules.html\" target=\"_blank\">\u516c\u5f0f\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8<\/a>\u3067\u306f\u300csame_sourse_port\u300d\u3068\u8a18\u8f09\u3055\u308c\u3066\u3044\u307e\u3059\u304c\u3001\u300csame_src_port\u300d\u3068\u3057\u306a\u3051\u308c\u3070\u52d5\u4f5c\u3057\u307e\u305b\u3093\u3067\u3057\u305f\u3002<\/p>\n<p>OSSEC\u306e\u8a73\u7d30\u306b\u3064\u3044\u3066\u306f\u516c\u5f0f\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<br \/>\n<a href=\"http:\/\/ossec.github.io\/docs\/\">http:\/\/ossec.github.io\/docs\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u524d\u56de\u306e\u8a18\u4e8b\u3067\u306f\u540c\u3058IP\u30a2\u30c9\u30ec\u30b9\u304b\u3089\u306e\u9023\u7d9aPOST\u3092\u691c\u77e5\u3059\u308bOSSEC\u306e\u30eb\u30fc\u30eb\u5b9a\u7fa9\u306b\u3064\u3044\u3066\u66f8\u304d\u307e\u3057\u305f\u3002\u4eca\u56de\u306f\u540c\u3058IP\u30a2\u30c9\u30ec\u30b9\u306b\u52a0\u3048\u3066\u3001\u540c\u3058Port\u756a\u53f7\u304b\u3089\u306e\u9023\u7d9aPOST\u3092\u691c\u77e5\u3059\u308b\u5834\u5408\u306b\u3064\u3044\u3066\u66f8\u3053\u3046\u3068\u601d\u3044\u307e\u3059\u3002OSSEC\u306e\u76e3 [&hellip;]<\/p>\n","protected":false},"author":10,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17],"tags":[146],"class_list":["post-4282","post","type-post","status-publish","format-standard","hentry","category-tech","tag-ossec"],"_links":{"self":[{"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=\/wp\/v2\/posts\/4282","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4282"}],"version-history":[{"count":12,"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=\/wp\/v2\/posts\/4282\/revisions"}],"predecessor-version":[{"id":4296,"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=\/wp\/v2\/posts\/4282\/revisions\/4296"}],"wp:attachment":[{"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4282"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4282"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}