web attack returned code 200
1,418 views
Skip to first unread message
Leonardo Bacha Abrantes
Oct 16, 2012, 10:32:46 AM10/16/12
to Grupo "OSSEC"
hey guys,
I received an alert about sucess on attack.
looking in my access.log I found the log that started this alert:
1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET
/sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694
**Phase 1: Completed pre-decoding.
full event: '1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET
/sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694'
hostname: 'megatron'
program_name: '(null)'
log: '1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET
/sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '1.2.3.4'
url: '/sample-folder/news/global-report..?page=91'
id: '200'
**Phase 3: Completed filtering (rules).
Rule id: '31106'
Level: '6'
Description: 'A web attack returned code 200 (success).'
**Alert to be generated.
The active response blocked the source ip. I checked Integrity
Checking database and it didn't show any changes on files, so, it was
a false positive.
Had anyone the same issue ?
many thanks!
I received an alert about sucess on attack.
looking in my access.log I found the log that started this alert:
1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET
/sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694
**Phase 1: Completed pre-decoding.
full event: '1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET
/sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694'
hostname: 'megatron'
program_name: '(null)'
log: '1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET
/sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '1.2.3.4'
url: '/sample-folder/news/global-report..?page=91'
id: '200'
**Phase 3: Completed filtering (rules).
Rule id: '31106'
Level: '6'
Description: 'A web attack returned code 200 (success).'
**Alert to be generated.
The active response blocked the source ip. I checked Integrity
Checking database and it didn't show any changes on files, so, it was
a false positive.
Had anyone the same issue ?
many thanks!
dan (ddp)
Oct 16, 2012, 10:37:25 AM10/16/12
to ossec...@googlegroups.com
rules are unreliable, there's just too many ways for them to be wrong.
Ryan Schulze
Oct 17, 2012, 6:41:26 PM10/17/12
to ossec...@googlegroups.com
I'd strongly suggest avoiding any active reponses on the web attack
rules until you've tweaked them to fit your applications ;-)
(and even then I'd really be careful since an attacker can use CSRF on a
random site in the internet to cause a victim to send queries to your
server that will trigger your active response)
Reply all
Reply to author
Forward
0 new messages