ah ok, this makes so much more sense now. thank you for the clarifications :)
On Monday, 16 November 2020 at 17:48:24 UTC saw...@gmail.com wrote: > ACK! Sorry! Didn't see you'd already replied, Dan... > > What he said. :) > > Scott > > > On Mon, Nov 16, 2020, 10:10 dan (ddp) <ddp...@gmail.com> wrote: > >> On Mon, Nov 16, 2020 at 7:27 AM Andrew S <banan...@gmail.com> wrote: >> > >> > Hi Brian, >> > >> > Thank you for the clarification but I don't understand why someone >> would associate our website with dailymail.co.uk ? >> > >> >> I haven't verified, but Brian mentioned dailymail being in the >> referrer field. So there was (possibly) a link somewhere on the page >> in the log message pointing at your site. >> >> > GET >> > / HTTP/2.0" 200 84 >> > " >> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html >> " >> > >> > I understand the part of the log: GET / HTTP/2.0" 200 >> > >> > I don't understand: >> > >> > 84 >> > " >> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html >> " >> > >> > Why 84 and why this dailymail URL ? >> > >> > many thanks >> > Andrew >> > >> > On Monday, 16 November 2020 at 09:02:40 UTC Brian Candler wrote: >> >> >> >> Rule 1002 is a general catch-all rule which matches generic "bad >> words" like "failed" and "denied", as you can see here: >> >> >> >> >> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21 >> >> >> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35 >> >> >> >> It's a false positive for you, since the word "failed" appears in the >> Referer field of your HTTP logs. You can silence these by writing your own >> more specific rule to catch them, e.g. >> >> >> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74 >> >> >> >> On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote: >> >>> >> >>> We keep receiving these notifications from OSSEC. Our site has >> nothing to do with dailymail. Is this worrying or is this a false alert? >> >>> >> >>> Received From: server->/var/log/nginx/access.log >> >>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >> system." >> >>> Portion of the log(s): >> >>> >> >>> 2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 >> +0000] "GET >> >>> / HTTP/2.0" 200 84 >> >>> " >> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; >> >> "Mozilla/5.0 >> >>> (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 >> (KHTML, like >> >>> Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041" >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to ossec-list+...@googlegroups.com. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/7a59f156-2823-4945-a828-6d9bc7f5c4e4n%40googlegroups.com >> . >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/CAMyQvMo1cPejq_rEgoX-dpgA_%2BOdOc%3Dh8tvPon%2B6GAx%3DLNTuvw%40mail.gmail.com >> . >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/fc6afd95-fcbc-4e8d-9a3e-bcacf63c34b3n%40googlegroups.com.
