date:20201116

Re: [ossec-list] Re: Unknown Alert

2020-11-16 Thread dan (ddp)

No worries. You added some great information.

On Mon, Nov 16, 2020 at 12:48 PM Scott Wozny  wrote:
>
> ACK!  Sorry!  Didn't see you'd already replied, Dan...
>
> What he said. :)
>
> Scott
>
>
> On Mon, Nov 16, 2020, 10:10 dan (ddp)  wrote:
>>
>> On Mon, Nov 16, 2020 at 7:27 AM Andrew S  wrote:
>> >
>> > Hi Brian,
>> >
>> > Thank you for the clarification but I don't understand why someone would 
>> > associate our website with dailymail.co.uk ?
>> >
>>
>> I haven't verified, but Brian mentioned dailymail being in the
>> referrer field. So there was (possibly) a link somewhere on the page
>> in the log message pointing at your site.
>>
>> > GET
>> >  / HTTP/2.0" 200 84
>> >  
>> > "https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html;
>> >
>> > I understand the part of the log: GET / HTTP/2.0" 200
>> >
>> > I don't understand:
>> >
>> > 84
>> >  
>> > "https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html;
>> >
>> > Why 84 and why this dailymail URL ?
>> >
>> > many thanks
>> > Andrew
>> >
>> > On Monday, 16 November 2020 at 09:02:40 UTC Brian Candler wrote:
>> >>
>> >> Rule 1002 is a general catch-all rule which matches generic "bad words" 
>> >> like "failed" and "denied", as you can see here:
>> >>
>> >> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21
>> >> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35
>> >>
>> >> It's a false positive for you, since the word "failed" appears in the 
>> >> Referer field of your HTTP logs.  You can silence these by writing your 
>> >> own more specific rule to catch them, e.g.
>> >> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74
>> >>
>> >> On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote:
>> >>>
>> >>> We keep receiving these notifications from OSSEC. Our site has nothing 
>> >>> to do with dailymail. Is this worrying or is this a false alert?
>> >>>
>> >>> Received From: server->/var/log/nginx/access.log
>> >>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
>> >>> Portion of the log(s):
>> >>>
>> >>> 2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 +] 
>> >>> "GET
>> >>>  / HTTP/2.0" 200 84
>> >>>  
>> >>> "https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html;
>> >>>  "Mozilla/5.0
>> >>>  (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 
>> >>> (KHTML, like
>> >>>  Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041"
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google Groups 
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an 
>> > email to ossec-list+unsubscr...@googlegroups.com.
>> > To view this discussion on the web visit 
>> > https://groups.google.com/d/msgid/ossec-list/7a59f156-2823-4945-a828-6d9bc7f5c4e4n%40googlegroups.com.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMo1cPejq_rEgoX-dpgA_%2BOdOc%3Dh8tvPon%2B6GAx%3DLNTuvw%40mail.gmail.com.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/CACUKT_r_Jx2mPxXgNbfq7E%2ByAev_%3D5N4qiaa7Z_EKV98sTETDg%40mail.gmail.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMqrUSqwcFHbOaHXV__mn9UKa5YYZ%3D%2BQM%3DMV7UPKMY7T%2Bw%40mail.gmail.com.

Re: [ossec-list] Re: Unknown Alert

2020-11-16 Thread Andrew S

ah ok, this makes so much more sense now. thank you for the clarifications 
:) 

On Monday, 16 November 2020 at 17:48:24 UTC saw...@gmail.com wrote:

> ACK!  Sorry!  Didn't see you'd already replied, Dan...
>
> What he said. :)
>
> Scott
>
>
> On Mon, Nov 16, 2020, 10:10 dan (ddp)  wrote:
>
>> On Mon, Nov 16, 2020 at 7:27 AM Andrew S  wrote:
>> >
>> > Hi Brian,
>> >
>> > Thank you for the clarification but I don't understand why someone 
>> would associate our website with dailymail.co.uk ?
>> >
>>
>> I haven't verified, but Brian mentioned dailymail being in the
>> referrer field. So there was (possibly) a link somewhere on the page
>> in the log message pointing at your site.
>>
>> > GET
>> >  / HTTP/2.0" 200 84
>> >  "
>> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html
>> "
>> >
>> > I understand the part of the log: GET / HTTP/2.0" 200
>> >
>> > I don't understand:
>> >
>> > 84
>> >  "
>> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html
>> "
>> >
>> > Why 84 and why this dailymail URL ?
>> >
>> > many thanks
>> > Andrew
>> >
>> > On Monday, 16 November 2020 at 09:02:40 UTC Brian Candler wrote:
>> >>
>> >> Rule 1002 is a general catch-all rule which matches generic "bad 
>> words" like "failed" and "denied", as you can see here:
>> >>
>> >> 
>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21
>> >> 
>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35
>> >>
>> >> It's a false positive for you, since the word "failed" appears in the 
>> Referer field of your HTTP logs.  You can silence these by writing your own 
>> more specific rule to catch them, e.g.
>> >> 
>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74
>> >>
>> >> On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote:
>> >>>
>> >>> We keep receiving these notifications from OSSEC. Our site has 
>> nothing to do with dailymail. Is this worrying or is this a false alert?
>> >>>
>> >>> Received From: server->/var/log/nginx/access.log
>> >>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the 
>> system."
>> >>> Portion of the log(s):
>> >>>
>> >>> 2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 
>> +] "GET
>> >>>  / HTTP/2.0" 200 84
>> >>>  "
>> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html;
>>  
>> "Mozilla/5.0
>> >>>  (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 
>> (KHTML, like
>> >>>  Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041"
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google 
>> Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an email to ossec-list+...@googlegroups.com.
>> > To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ossec-list/7a59f156-2823-4945-a828-6d9bc7f5c4e4n%40googlegroups.com
>> .
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com.
>>
> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMo1cPejq_rEgoX-dpgA_%2BOdOc%3Dh8tvPon%2B6GAx%3DLNTuvw%40mail.gmail.com
>> .
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/fc6afd95-fcbc-4e8d-9a3e-bcacf63c34b3n%40googlegroups.com.

Re: [ossec-list] Re: Unknown Alert

2020-11-16 Thread Scott Wozny

ACK!  Sorry!  Didn't see you'd already replied, Dan...

What he said. :)

Scott


On Mon, Nov 16, 2020, 10:10 dan (ddp)  wrote:

> On Mon, Nov 16, 2020 at 7:27 AM Andrew S  wrote:
> >
> > Hi Brian,
> >
> > Thank you for the clarification but I don't understand why someone would
> associate our website with dailymail.co.uk ?
> >
>
> I haven't verified, but Brian mentioned dailymail being in the
> referrer field. So there was (possibly) a link somewhere on the page
> in the log message pointing at your site.
>
> > GET
> >  / HTTP/2.0" 200 84
> >  "
> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html
> "
> >
> > I understand the part of the log: GET / HTTP/2.0" 200
> >
> > I don't understand:
> >
> > 84
> >  "
> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html
> "
> >
> > Why 84 and why this dailymail URL ?
> >
> > many thanks
> > Andrew
> >
> > On Monday, 16 November 2020 at 09:02:40 UTC Brian Candler wrote:
> >>
> >> Rule 1002 is a general catch-all rule which matches generic "bad words"
> like "failed" and "denied", as you can see here:
> >>
> >>
> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21
> >>
> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35
> >>
> >> It's a false positive for you, since the word "failed" appears in the
> Referer field of your HTTP logs.  You can silence these by writing your own
> more specific rule to catch them, e.g.
> >>
> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74
> >>
> >> On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote:
> >>>
> >>> We keep receiving these notifications from OSSEC. Our site has nothing
> to do with dailymail. Is this worrying or is this a false alert?
> >>>
> >>> Received From: server->/var/log/nginx/access.log
> >>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
> system."
> >>> Portion of the log(s):
> >>>
> >>> 2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 +]
> "GET
> >>>  / HTTP/2.0" 200 84
> >>>  "
> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html;
> "Mozilla/5.0
> >>>  (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36
> (KHTML, like
> >>>  Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041"
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/7a59f156-2823-4945-a828-6d9bc7f5c4e4n%40googlegroups.com
> .
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/CAMyQvMo1cPejq_rEgoX-dpgA_%2BOdOc%3Dh8tvPon%2B6GAx%3DLNTuvw%40mail.gmail.com
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CACUKT_r_Jx2mPxXgNbfq7E%2ByAev_%3D5N4qiaa7Z_EKV98sTETDg%40mail.gmail.com.

Re: [ossec-list] Re: Unknown Alert

2020-11-16 Thread Scott Wozny

The GET / HTTP2.0 200 84 shows that someone on Sky Broadband in the UK
(2a02:c7d IPv6 address) asked for the / alias on your web server which was
returned to the user successfully (code 200) and was 84 bytes in length
(probably means the user was JS redirected to a specific page on your site,
which is common).  Since you don't identify your site, there's no way to
confirm the last bit with absolute certainty, but it's both in the ballpark
for size and extremely common so I'm confident in that guess. Your
webmaster should be able to confirm, though.

Since the daily mail site is the referrer, it means somewhere in that
article, the ads or the comments on that page there is a reference to your
site which someone clicked on. Since the referrer URL contained the generic
alert term "fail" that's what set off OSSEC. So that's why it's in your
logs.

You can either live with it knowing it's nothing (if it's a low enough
level of noise) or write a rule for the Daily Mail URL set to level 0 so it
doesn't log anymore. There's little you can do about some commenter on a
Daily Mail article linking to your site so you need to decide how much this
matters to you.

HTH,

Scott

On Mon, Nov 16, 2020, 07:27 Andrew S  wrote:

> Hi Brian,
>
> Thank you for the clarification but I don't understand why someone would
> associate our website with dailymail.co.uk ?
>
> GET
>  / HTTP/2.0" 200 84
>  "
> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html
> "
>
> I understand the part of the log: GET / HTTP/2.0" 200
>
> I don't understand:
>
> 84
>  "
> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html
> "
>
> Why 84 and why this dailymail URL ?
>
> many thanks
> Andrew
>
> On Monday, 16 November 2020 at 09:02:40 UTC Brian Candler wrote:
>
>> Rule 1002 is a general catch-all rule which matches generic "bad words"
>> like "failed" and "denied", as you can see here:
>>
>>
>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21
>>
>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35
>>
>> It's a false positive for you, since the word "failed" appears in the
>> Referer field of your HTTP logs.  You can silence these by writing your own
>> more specific rule to catch them, e.g.
>>
>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74
>>
>> On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote:
>>
>>> We keep receiving these notifications from OSSEC. Our site has nothing
>>> to do with dailymail. Is this worrying or is this a false alert?
>>>
>>> Received From: server->/var/log/nginx/access.log
>>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
>>> Portion of the log(s):
>>>
>>> 2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 +]
>>> "GET
>>>  / HTTP/2.0" 200 84
>>>  "
>>> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html;
>>> "Mozilla/5.0
>>>  (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36
>>> (KHTML, like
>>>  Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041"
>>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/7a59f156-2823-4945-a828-6d9bc7f5c4e4n%40googlegroups.com
> 
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CACUKT_od1kuCdWhRKz6BfT-Eh%2BycxH%2BLDo6BGayCNPOUsN%3Di1w%40mail.gmail.com.

Re: [ossec-list] Re: Unknown Alert

2020-11-16 Thread dan (ddp)

On Mon, Nov 16, 2020 at 7:27 AM Andrew S  wrote:
>
> Hi Brian,
>
> Thank you for the clarification but I don't understand why someone would 
> associate our website with dailymail.co.uk ?
>

I haven't verified, but Brian mentioned dailymail being in the
referrer field. So there was (possibly) a link somewhere on the page
in the log message pointing at your site.

> GET
>  / HTTP/2.0" 200 84
>  
> "https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html;
>
> I understand the part of the log: GET / HTTP/2.0" 200
>
> I don't understand:
>
> 84
>  
> "https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html;
>
> Why 84 and why this dailymail URL ?
>
> many thanks
> Andrew
>
> On Monday, 16 November 2020 at 09:02:40 UTC Brian Candler wrote:
>>
>> Rule 1002 is a general catch-all rule which matches generic "bad words" like 
>> "failed" and "denied", as you can see here:
>>
>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21
>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35
>>
>> It's a false positive for you, since the word "failed" appears in the 
>> Referer field of your HTTP logs.  You can silence these by writing your own 
>> more specific rule to catch them, e.g.
>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74
>>
>> On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote:
>>>
>>> We keep receiving these notifications from OSSEC. Our site has nothing to 
>>> do with dailymail. Is this worrying or is this a false alert?
>>>
>>> Received From: server->/var/log/nginx/access.log
>>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
>>> Portion of the log(s):
>>>
>>> 2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 +] "GET
>>>  / HTTP/2.0" 200 84
>>>  
>>> "https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html;
>>>  "Mozilla/5.0
>>>  (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, 
>>> like
>>>  Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041"
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/7a59f156-2823-4945-a828-6d9bc7f5c4e4n%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMo1cPejq_rEgoX-dpgA_%2BOdOc%3Dh8tvPon%2B6GAx%3DLNTuvw%40mail.gmail.com.

[ossec-list] Re: Unknown Alert

2020-11-16 Thread Andrew S

Hi Brian,

Thank you for the clarification but I don't understand why someone would 
associate our website with dailymail.co.uk ?

GET
 / HTTP/2.0" 200 84
 "
https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html
"

I understand the part of the log: GET / HTTP/2.0" 200

I don't understand: 

84
 "
https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html
"

Why 84 and why this dailymail URL ?

many thanks 
Andrew

On Monday, 16 November 2020 at 09:02:40 UTC Brian Candler wrote:

> Rule 1002 is a general catch-all rule which matches generic "bad words" 
> like "failed" and "denied", as you can see here:
>
>
> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21
>
> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35
>
> It's a false positive for you, since the word "failed" appears in the 
> Referer field of your HTTP logs.  You can silence these by writing your own 
> more specific rule to catch them, e.g.
>
> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74
>
> On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote:
>
>> We keep receiving these notifications from OSSEC. Our site has nothing to 
>> do with dailymail. Is this worrying or is this a false alert?
>>
>> Received From: server->/var/log/nginx/access.log
>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
>> Portion of the log(s):
>>
>> 2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 +] 
>> "GET
>>  / HTTP/2.0" 200 84
>>  "
>> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html;
>>  
>> "Mozilla/5.0
>>  (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, 
>> like
>>  Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041"
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/7a59f156-2823-4945-a828-6d9bc7f5c4e4n%40googlegroups.com.

[ossec-list] Re: Unknown Alert

2020-11-16 Thread Brian Candler

Rule 1002 is a general catch-all rule which matches generic "bad words" 
like "failed" and "denied", as you can see here:

https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21
https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35

It's a false positive for you, since the word "failed" appears in the 
Referer field of your HTTP logs.  You can silence these by writing your own 
more specific rule to catch them, e.g.
https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74

On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote:

> We keep receiving these notifications from OSSEC. Our site has nothing to 
> do with dailymail. Is this worrying or is this a false alert?
>
> Received From: server->/var/log/nginx/access.log
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> 2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 +] "GET
>  / HTTP/2.0" 200 84
>  "
> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html;
>  
> "Mozilla/5.0
>  (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, 
> like
>  Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041"
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/14eb44d9-7fd5-48db-85cf-929ce8b187ffn%40googlegroups.com.

Re: [ossec-list] Re: Unknown Alert

Re: [ossec-list] Re: Unknown Alert

Re: [ossec-list] Re: Unknown Alert

Re: [ossec-list] Re: Unknown Alert

Re: [ossec-list] Re: Unknown Alert

[ossec-list] Re: Unknown Alert

[ossec-list] Re: Unknown Alert

7 matches

Site Navigation

Mail list logo

Footer information