[ossec-list] Re: Why don't my rules do anything?

Thu, 25 Feb 2016 08:37:35 -0800 

That is because with GET parameters is not a simple query (rule 31108):

**Phase 1: Completed pre-decoding.
       full event: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] 
"GET /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200 
Text...'
       hostname: 'LinMV'
       program_name: '(null)'
       log: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET 
/icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200 
Text...'


**Phase 2: Completed decoding.
       decoder: 'web-accesslog'
       srcip: '10.10.10.10'
       url: '/icons/whatever/?C=http://5.6.7.8/requeststringtest.php;'
       id: '200'


**Rule debugging:
    Trying rule: 4 - Generic template for all web rules.
       *Rule 4 matched.
       *Trying child rules.
    Trying rule: 31100 - Access log messages grouped.
       *Rule 31100 matched.
       *Trying child rules.
    
*Trying rule: 31108 - Ignored URLs (simple queries).    Trying rule: 31511 
- Blacklisted user agent (wget).*


This is working:

  <!--
  10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET 
//path/path2/requeststringtest.php; HTTP/1.1" 200 Text...
  10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET 
/icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200 
Text...
  -->
  <rule id="100060" level="5">
    *<if_sid>31100,31108</if_sid>*
    <match>requeststringtest.php</match>
    <description>request string test 2</description>
  </rule>


Regards.
Jesus Linares.


On Thursday, February 25, 2016 at 5:11:48 PM UTC+1, James Culver wrote:
>
> Thanks. I have tested your version of the rule, and it works *so long as* 
> there aren't GET parameters in the requested URI.
>
> For example, the following request triggers an alert:
> 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET 
> /icons/whatever/requeststringtest.php HTTP/1.1" 20068393 blahblahblah
>
> However, this request is ignored:
> 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET /icons/whatever/?C=
> http://5.6.7.8/requeststringtest.php HTTP/1.1" 20068393 blahblahblah
>
> Any ideas why that is?
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to