{"id":4375,"date":"2017-06-07T10:00:17","date_gmt":"2017-06-07T01:00:17","guid":{"rendered":"http:\/\/blog.bitmeister.jp\/?p=4375"},"modified":"2017-05-09T14:01:13","modified_gmt":"2017-05-09T05:01:13","slug":"ossec-v2-9-0-%e3%81%a7apache%e3%82%a2%e3%82%af%e3%82%bb%e3%82%b9%e3%83%ad%e3%82%b0%e3%81%aeport%e7%95%aa%e5%8f%b7%e3%82%92%e8%a7%a3%e9%87%88%e3%81%99%e3%82%8b%e3%83%87%e3%82%b3%e3%83%bc%e3%83%80","status":"publish","type":"post","link":"https:\/\/blog.bitmeister.jp\/?p=4375","title":{"rendered":"OSSEC v2.9.0 \u3067Apache\u30a2\u30af\u30bb\u30b9\u30ed\u30b0\u306ePort\u756a\u53f7\u3092\u89e3\u91c8\u3059\u308b\u30c7\u30b3\u30fc\u30c0\u3092\u5b9a\u7fa9\u3059\u308b"},"content":{"rendered":"

2017\u5e742\u67089\u65e5\u306bOSSEC\u306e\u30d0\u30fc\u30b8\u30e7\u30f32.9.0\u304c\u30ea\u30ea\u30fc\u30b9<\/a>\u3055\u308c\u307e\u3057\u305f\u3002<\/p>\n

v2.9.0\u3067\u306fIPv6\u304c\u30b5\u30dd\u30fc\u30c8\u3055\u308c\u3001IP\u30a2\u30c9\u30ec\u30b9\u3092\u89e3\u91c8\u3059\u308b\u30c7\u30b3\u30fc\u30c0\u306e\u5b9a\u7fa9\u304c\u66f4\u65b0\u3055\u308c\u3066\u3044\u307e\u3059\u3002
\n\u4ee5\u524d\u306e\u8a18\u4e8b<\/a>\u3067\u3001\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306ePort\u756a\u53f7\u3092Apache\u306e\u30a2\u30af\u30bb\u30b9\u30ed\u30b0\u306b\u51fa\u529b\u3059\u308b\u5834\u5408\u306e\u30c7\u30b3\u30fc\u30c0\u5b9a\u7fa9\u306b\u3064\u3044\u3066\u66f8\u304d\u307e\u3057\u305f\u304c\u3001\u3053\u306e\u3088\u3046\u306a\u5834\u5408\u3001v2.9.0\u3067\u306f\u3069\u306e\u3088\u3046\u306b\u30c7\u30b3\u30fc\u30c0\u3092\u5b9a\u7fa9\u3059\u308c\u3070\u3088\u3044\u304b\u8abf\u3079\u3066\u307f\u307e\u3057\u305f\u3002<\/p>\n

\u672c\u8a18\u4e8b\u3067\u5bfe\u8c61\u3068\u3059\u308bOSSEC\u3001Apache\u3068OS\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306f\u4ee5\u4e0b\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n

OSSEC: 2.9.0
\nApache: 2.4
\nOS: Ubuntu 14.04<\/p>\n

<\/p>\n

Apache\u306eLogFormat\u3092\u5909\u66f4\u3059\u308b<\/h3>\n

\u4ee5\u524d\u306e\u8a18\u4e8b<\/a>\u3067\u306f\u300c\u9001\u4fe1\u5143IP\u30a2\u30c9\u30ec\u30b9:\u9001\u4fe1\u5143Port\u756a\u53f7\u300d\u3068\u51fa\u529b\u3055\u308c\u308b\u3088\u3046\u306b\u5b9a\u7fa9\u3057\u3066\u3044\u307e\u3057\u305f\u304c\u3001OSSEC\u3067\u89e3\u91c8\u3057\u3084\u3059\u3044\u3088\u3046\u306bApache\u306eLogFormat\u3092\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u5909\u66f4\u3057\u307e\u3057\u305f\u3002<\/p>\n

\r\nLogFormat \"%h %{remote}p %l %u %t \\\"%r\\\" %>s %O \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" combined\r\n<\/pre>\n
\u30a2\u30af\u30bb\u30b9\u30ed\u30b0\u306e\u5148\u982d\u306b\u300c\u9001\u4fe1\u5143IP\u30a2\u30c9\u30ec\u30b9(\u534a\u89d2\u30b9\u30da\u30fc\u30b9)\u9001\u4fe1\u5143Port\u756a\u53f7\u300d(e.g. 192.168.0.1 52998 )\u304c\u51fa\u529b\u3055\u308c\u307e\u3059\u3002<\/p>\n
OSSEC\u306e\u30c7\u30b3\u30fc\u30c0\u3092\u5b9a\u7fa9\u3059\u308b<\/h3>\n
etc\/decoder.xml \u306b\u5b9a\u7fa9\u3055\u308c\u3066\u3044\u308bApache\u306e\u30a2\u30af\u30bb\u30b9\u30ed\u30b0(NCSA)\u306e\u30c7\u30b3\u30fc\u30c0\u300cweb-accesslog\u300d\u3092\u53c2\u8003\u306b etc\/local_decoder.xml \u306b\u30c7\u30b3\u30fc\u30c0\u300cweb-accesslog-custom\u300d\u3092\u5b9a\u7fa9\u3057\u307e\u3059\u3002<\/p>\n
\r\n<decoder name="web-accesslog-custom">\r\n  <type>web-log<\/type>\r\n  <prematch>^\\S+ \\d+ \\S+ \\S+ [\\S+ \\S\\d+] "\\w+ \\S+ HTTP\\S+" <\/prematch>\r\n  <regex>^(\\S+) (\\d+) \\S+ \\S+ [\\S+ \\S\\d+] <\/regex>\r\n  <regex>"\\w+ (\\S+) HTTP\\S+" (\\d+) <\/regex>\r\n  <order>srcip, srcport, url, id<\/order>\r\n<\/decoder>\r\n<\/pre>\n
bin\/ossec-logtest \u3067Apache\u306e\u30a2\u30af\u30bb\u30b9\u30ed\u30b0\u304c\u5b9a\u7fa9\u3057\u305f\u30c7\u30b3\u30fc\u30c0\u3067\u89e3\u91c8\u3055\u308c\u308b\u304b\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/p>\n
IPv4\u306e\u5834\u5408<\/p>\n
\r\n# .\/bin\/ossec-logtest\r\n2017\/05\/08 11:24:06 ossec-testrule: INFO: Reading local decoder file.\r\n2017\/05\/08 11:24:06 ossec-testrule: INFO: Started (pid: 27).\r\nossec-testrule: Type one log per line.\r\n\r\n192.168.0.1 51349 - - [08\/May\/2017:11:06:00 +0900] "GET \/ HTTP\/1.1" 200 3269 "-" "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/54.0.2840.98 Safari\/537.36"\r\n\r\n\r\n**Phase 1: Completed pre-decoding.\r\n       full event: '192.168.0.1 51349 - - [08\/May\/2017:11:06:00 +0900] "GET \/ HTTP\/1.1" 200 3269 "-" "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/54.0.2840.98 Safari\/537.36"'\r\n       hostname: 'hogehoge'\r\n       program_name: '(null)'\r\n       log: '192.168.0.1 51349 - - [08\/May\/2017:11:06:00 +0900] "GET \/ HTTP\/1.1" 200 3269 "-" "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/54.0.2840.98 Safari\/537.36"'\r\n\r\n**Phase 2: Completed decoding.\r\n       decoder: 'web-accesslog-custom'\r\n       srcip: '192.168.0.1'\r\n       srcport: '51349'\r\n       url: '\/'\r\n       id: '200'\r\n<\/pre>\n
IPv6\u306e\u5834\u5408<\/p>\n
\r\n# .\/bin\/ossec-logtest\r\n2017\/05\/08 11:26:23 ossec-testrule: INFO: Reading local decoder file.\r\n2017\/05\/08 11:26:23 ossec-testrule: INFO: Started (pid: 28).\r\nossec-testrule: Type one log per line.\r\n\r\n::1 38332 - - [08\/May\/2017:11:07:53 +0900] "GET \/ HTTP\/1.1" 200 4002 "-" "curl\/7.35.0"\r\n\r\n\r\n**Phase 1: Completed pre-decoding.\r\n       full event: '::1 38332 - - [08\/May\/2017:11:07:53 +0900] "GET \/ HTTP\/1.1" 200 4002 "-" "curl\/7.35.0"'\r\n       hostname: 'hogehoge'\r\n       program_name: '(null)'\r\n       log: '::1 38332 - - [08\/May\/2017:11:07:53 +0900] "GET \/ HTTP\/1.1" 200 4002 "-" "curl\/7.35.0"'\r\n\r\n**Phase 2: Completed decoding.\r\n       decoder: 'web-accesslog-custom'\r\n       srcip: '::1'\r\n       srcport: '38332'\r\n       url: '\/'\r\n       id: '200'\r\n<\/pre>\n
\u7121\u4e8b\u3001\u5b9a\u7fa9\u3057\u305f\u30c7\u30b3\u30fc\u30c0\u300cweb-accesslog-custom\u300d\u3067\u89e3\u91c8\u3055\u308c\u307e\u3057\u305f\u3002
\nOSSEC\u3092\u518d\u8d77\u52d5\u3059\u308b\u3068\u30c7\u30b3\u30fc\u30c0\u304c\u6709\u52b9\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n
OSSECv2.9.0\u306e\u8a73\u7d30\u306b\u3064\u3044\u3066\u306fOSSEC\u306eGitHub\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002
\nhttps:\/\/github.com\/ossec\/ossec-hids\/releases\/tag\/2.9.0<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
2017\u5e742\u67089\u65e5\u306bOSSEC\u306e\u30d0\u30fc\u30b8\u30e7\u30f32.9.0\u304c\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u307e\u3057\u305f\u3002 v2.9.0\u3067\u306fIPv6\u304c\u30b5\u30dd\u30fc\u30c8\u3055\u308c\u3001IP\u30a2\u30c9\u30ec\u30b9\u3092\u89e3\u91c8\u3059\u308b\u30c7\u30b3\u30fc\u30c0\u306e\u5b9a\u7fa9\u304c\u66f4\u65b0\u3055\u308c\u3066\u3044\u307e\u3059\u3002 \u4ee5\u524d\u306e\u8a18\u4e8b\u3067\u3001\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306ePort\u756a\u53f7\u3092Ap […]<\/p>\n","protected":false},"author":10,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17],"tags":[146],"class_list":["post-4375","post","type-post","status-publish","format-standard","hentry","category-tech","tag-ossec"],"_links":{"self":[{"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=\/wp\/v2\/posts\/4375","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4375"}],"version-history":[{"count":16,"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=\/wp\/v2\/posts\/4375\/revisions"}],"predecessor-version":[{"id":4391,"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=\/wp\/v2\/posts\/4375\/revisions\/4391"}],"wp:attachment":[{"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4375"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4375"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.bitmeister.jp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4375"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}