Hi all,
I'm getting an alert on an internal server that, at one point, I had
been able to ignore. Recently I moved the logs that apache (wn32
version) uses to a different drive for space considerations and since
doing so have begun getting the alert again. The reason I wish to
ignore the alert is due to it's cause. The client software
(TortoiseSVN) simply requests methods not available currently.
Here is the alert:
Received From: ([myserver]) x.x.x.20->\apache2/logs/access.log
Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from
same source ip."
Portion of the log(s):
x.x.x.90 - - [13/Sep/2006:07:01:53 -0700] "PROPFIND
/svn/[xxxx]/Extranet/branches/SOW-101 HTTP/1.1" 401 587
x.x.x.90 - - [13/Sep/2006:07:01:51 -0700] "PROPFIND
/svn/[xxxx]/[xxxx]/trunk HTTP/1.1" 401 587
x.x.x.90 - - [13/Sep/2006:07:00:53 -0700] "PROPFIND
/svn/[xxxx]/[xxxx]/2.5 HTTP/1.1" 401 587
x.x.x.90 - - [13/Sep/2006:07:00:53 -0700] "PROPFIND
/svn/[xxxx]/Extranet/branches/SOW-101 HTTP/1.1" 401 587
x.x.x.90 - - [13/Sep/2006:07:00:21 -0700] "PROPFIND
/svn/[xxxx]/[xxxx]/trunk HTTP/1.1" 401 587
x.x.x.90 - - [13/Sep/2006:06:59:53 -0700] "PROPFIND
/svn/[xxxx]/[xxxx]/2.5 HTTP/1.1" 401 587
x.x.x.90 - - [13/Sep/2006:06:59:50 -0700] "PROPFIND
/svn/[xxxx]/[xxxx]/trunk HTTP/1.1" 401 587
x.x.x.90 - - [13/Sep/2006:06:58:52 -0700] "PROPFIND
/svn/[xxxx]/[xxxx]/trunk HTTP/1.1" 401 587
x.x.x.90 - - [13/Sep/2006:06:58:52 -0700] "PROPFIND
/svn/[xxxx]/Extranet/branches/SOW-101 HTTP/1.1" 401 587
At one point I put the following into my local_rules.xml file on the
server which got rid of the message:
<rule id="100001" level="0">
<if_sid>31101</if_sid>
<srcip>x.x.x.0/16</srcip>
<description>Ignoring local network</description>
</rule>
I see that this new alert uses a different rule number so I've tried to
do the same thing by putting the following into the local_rules.xml
file:
<rule id="100005" level="0">
<if_sid>31151</if_sid>
<srcip>x.x.x.0/16</srcip>
<description>Ignoring local network</description>
</rule>
This does not seem to override anything and even after restarting ossec
I still receive the notifications every time someone uses the source
control client. Am I doing something wrong or simply missing a step
somewhere else?
Oh, as a side note I did modify the agent machine config with the new
path to the logs. It was a simply update since the line was already
there with the old logs. I did restart the windows service (NET STOP
OssecSvc;NET START OssecSvc) after the change.
Thanks in advance!
-Joel
