That is because with GET parameters is not a simple query (rule 31108): **Phase 1: Completed pre-decoding. full event: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200 Text...' hostname: 'LinMV' program_name: '(null)' log: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200 Text...'
**Phase 2: Completed decoding. decoder: 'web-accesslog' srcip: '10.10.10.10' url: '/icons/whatever/?C=http://5.6.7.8/requeststringtest.php;' id: '200' **Rule debugging: Trying rule: 4 - Generic template for all web rules. *Rule 4 matched. *Trying child rules. Trying rule: 31100 - Access log messages grouped. *Rule 31100 matched. *Trying child rules. *Trying rule: 31108 - Ignored URLs (simple queries). Trying rule: 31511 - Blacklisted user agent (wget).* This is working: <!-- 10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET //path/path2/requeststringtest.php; HTTP/1.1" 200 Text... 10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200 Text... --> <rule id="100060" level="5"> *<if_sid>31100,31108</if_sid>* <match>requeststringtest.php</match> <description>request string test 2</description> </rule> Regards. Jesus Linares. On Thursday, February 25, 2016 at 5:11:48 PM UTC+1, James Culver wrote: > > Thanks. I have tested your version of the rule, and it works *so long as* > there aren't GET parameters in the requested URI. > > For example, the following request triggers an alert: > 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET > /icons/whatever/requeststringtest.php HTTP/1.1" 20068393 blahblahblah > > However, this request is ignored: > 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET /icons/whatever/?C= > http://5.6.7.8/requeststringtest.php HTTP/1.1" 20068393 blahblahblah > > Any ideas why that is? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.