Hi Gil, You need to use <if_sid> instead of <if_matched_sid>. The later is only used for composite rules (when matching across multiple events).
hope that helps. -- Daniel B. Cid dcid ( at ) ossec.net On Sun, Feb 28, 2010 at 11:41 PM, Gil Vidals <gvid...@gmail.com> wrote: > I am trying to override part of rule 31106, but it's not working. Any help > or hints would be most welcome. I'm trying to avoid getting notified when > this condition occurs: > Received From: (croatia) > 192.168.0.100->/hsphere/local/home/cpanel/apache/logs/access_log > Rule: 31106 fired (level 12) -> "A web attack returned code 200 (success)." > Portion of the log(s): > > 173.85.169.203 - - [27/Feb/2010:01:27:34 -0800] "GET > /studio/servlet/psoft.counter.CounterService?action=count&id=411&accept-language=undefined&user-agent=Mozilla/5.0%20%28Windows%3B%20U%3B%20Windows%20NT%205.1%3B%20en-US%3B%20rv%3A1.9.1.8%29%20Gecko/20100202%20Firefox/3.5.8%20%28.NET%20CLR%203.5.30729%29&size=1024&colors=32&ref=http%3A//www.google.com/search%3Fhl%3Den%26client%3Dfirefox-a%26hs%3DFWJ%26rls%3Dorg.mozilla%3Aen-US%3Aofficial%26ei%3DfOWIS46EEYP18QaRxe2aDw%26sa%3DX%26oi%3Dspellfullpage%26resnum%3D0%26ct%3Dresult%26cd%3D2%26ved%3D0CAYQvwUoAQ%26%26q%3Dspirit+life+christian+church+las+vegas%26spell%3D1&java=true&rand=0.057259379032712276 > HTTP/1.1" > 200 180 > > > Here is my first "failed" attempt of writing an override rule: > <group name="web,accesslog,"> > <!-- level one will still log it but not report it; if you do not want to > log it at all use level="0" --> > <rule id="100101" level="1" timeframe="160"> > <if_matched_sid>31106</if_matched_sid> > <regex>psoft.counter.CounterService</regex> > <description>sitestudio counter is not a web attack</description> > <group name="attack,"></group> > </rule> > </group> > And here are the rules that are responsible for the ossec alert I am trying > to turn off. > <rule id="31104" level="6"> > <if_sid>31100</if_sid> > <!-- Attempt to do directory transversal, simple sql injections, > - or access to the etc or bin directory (unix). --> > <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..</url> > <url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|</url> > <url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%|</url> > <url>cat%|exec%|rm%20</url> > <description>Common web attack.</description> > <info>http://www.armbrustconsulting.com/LogEntries.html</info> > <group>attack,</group> > </rule> > <rule id="31105" level="6"> > <if_sid>31100</if_sid> > <url>%3Cscript|%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url> > <url>%20ONLOAD=|INPUT%20|iframe%20</url> > <description>XSS (Cross Site Scripting) attempt.</description> > <group>attack,</group> > </rule> > > <rule id="31106" level="12"> > <if_sid>31103, 31104, 31105</if_sid> > <id>^200</id> > <description>A web attack returned code 200 (success).</description> > <group>attack,</group> > </rule> > I would appreciate any help and advice. > Thank you. > Gil Vidals > >
