How to ignore Mutiple web server 400 error codes
1,255 views
Skip to first unread message
Kent Tong
Aug 23, 2009, 9:17:28 PM8/23/09
to ossec-list
Hi,
In order to ignore:
Received From: cladmr003->/var/log/apache2/access.log
Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes
from same source ip."
Portion of the log(s):
172.18.16.212 - - [23/Aug/2009:13:32:16 +0800] "GET /cloning/vista/
autorunB HTTP/1.0" 404 336 "-" "Wget/1.11.3"
172.18.16.212 - - [23/Aug/2009:13:32:16 +0800] "GET /cloning/vista/
autorunA HTTP/1.0" 404 336 "-" "Wget/1.11.3"
172.18.16.212 - - [23/Aug/2009:13:32:16 +0800] "GET /cloning/vista/
autorun9 HTTP/1.0" 404 336 "-" "Wget/1.11.3"
I've added the following rule:
<rule id="123009" level="0">
<if_sid>31151</if_sid>
<id>^404</id>
<url>/cloning/vista/autorun*</url>
<description>Ignore rescue CD autorun probes</description>
</rule>
However, it is not working. I suppose it is because the <url> doesn't
support wildcards. But what can I do then?
Thanks for any info!
In order to ignore:
Received From: cladmr003->/var/log/apache2/access.log
Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes
from same source ip."
Portion of the log(s):
172.18.16.212 - - [23/Aug/2009:13:32:16 +0800] "GET /cloning/vista/
autorunB HTTP/1.0" 404 336 "-" "Wget/1.11.3"
172.18.16.212 - - [23/Aug/2009:13:32:16 +0800] "GET /cloning/vista/
autorunA HTTP/1.0" 404 336 "-" "Wget/1.11.3"
172.18.16.212 - - [23/Aug/2009:13:32:16 +0800] "GET /cloning/vista/
autorun9 HTTP/1.0" 404 336 "-" "Wget/1.11.3"
I've added the following rule:
<rule id="123009" level="0">
<if_sid>31151</if_sid>
<id>^404</id>
<url>/cloning/vista/autorun*</url>
<description>Ignore rescue CD autorun probes</description>
</rule>
However, it is not working. I suppose it is because the <url> doesn't
support wildcards. But what can I do then?
Thanks for any info!
ddp
Aug 24, 2009, 12:02:25 PM8/24/09
to ossec...@googlegroups.com
If they're all using the same general path (/cloning/vista/autorun),
why not use that for the <url>? It seems to work fine with a test rule
I tried it with.
The single log entries triggered a different rule using ossec-logtest,
so that's why the if_sid is different.
<rule id="110066" level="1">
<if_sid>31101</if_sid>
<match>/cloning/vista/autorun</match>
<id>^404</id>
<description>test</description>
</rule>
why not use that for the <url>? It seems to work fine with a test rule
I tried it with.
The single log entries triggered a different rule using ossec-logtest,
so that's why the if_sid is different.
<rule id="110066" level="1">
<if_sid>31101</if_sid>
<match>/cloning/vista/autorun</match>
<id>^404</id>
<description>test</description>
</rule>
Reply all
Reply to author
Forward
0 new messages