Hi. I would like to just some advice if I may. I get this email notification maybe twice a day.
OSSEC HIDS Notification. 2018 Oct 20 14:18:33 Received From: server->/var/log/nginx/access.log Rule: 31122 fired (level 5) -> "Web server 500 error code (Internal Error)." Src IP: 12.345.67.89 Portion of the log(s): 12.345.67.89 - - [20/Oct/2018:14:18:32 +0200] "GET /rest/system/upgrade HTTP/2.0" 500 322 "https://server.me.com/"; "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" --END OF NOTIFICATION The source IP is my workstation. So I know this is not a attack of sorts. This is after I installed a specific application and setup a reverse proxy for it (https://server.me.com) I have also white listed my IP (12.345.67.89) To try and hide this message, I created a custom rule: <rule id="31122" level="0"> <if_sid>31120</if_sid> <id>^500</id> <srcip>12.345.67.89</srcip> <description>Web server 500 error code (Internal Error).</description> </rule> I can not pickup that anything is blocked, my app works like I would have expected. The only thing is these emails that I get. Besides that I could not have picked up any negativity. I still need to see if this makes a difference. My questions: 1. Was this the right thing to do? 2. Did I write the rule correctly? 3. This rule seem to be very generic (^500). Can I somehow be more specific? Maybe say that all 500 errors from/on app "https://server.me.com";? If so, how? 4. Any other advice that would have resulted in a better outcome maybe? As I am still new at OSSEC, advice will really be appreciated. Vissie -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
