Hi,
We have a similar issue w/ phpmyadmin false positives but in my case the
URLs don't have 'phpmyadmin' as we have phpmyadmin setup under the root
directory of a virtualhost (ie https://mysql.domain.com). So, does
anyone know how to best write a rule that would ONLY ignore rule #31103
for anyone accessing https://mysql.domain.com whenever http response is 200?
I came up with this rule but it's not an ideal rule as it ignores lots
of other virtualhosts on the same system:
<rule id="100013" level="0">
<if_sid>31103</if_sid>
<id>^200</id>
<match>.php?db=</match>
<description>phpMyAdmin events ignore</description>
</rule>
Here are some log entries:
xxx.xxx.xxx.253 - - [29/Jul/2007:08:21:08 -0400] "GET
/sql.php?db=swan&table=users&token=a3e38a4648a58e23f62&goto=tbl_structure.php&back=tbl_structure.php&pos=0
HTTP/1.1" 200 28897
xxx.xxx.xxx.5 - - [29/Jul/2007:08:21:22 -0400] "GET
/tbl_change.php?db=richard&table=moss&token=262f5718028e23f62&pos=0&session_max_rows=30&disp_direction=horizontal&repeat_cells=100&dontlimitchars=0&primary_key=+%60moss%60.%60id%60+%3D+62&sql_query=SELECT+%2A+FROM+%60moss%60&goto=sql.php
HTTP/1.1" 200 41646
thx,
SW
LNick wrote:
> Hello,
>
> I was attempting to edit a mysql table using phpmyadmin on a system I
> have an OSSEC agent installed. I got the following alert:
>
> OSSEC HIDS Notification.
> 2007 May 09 09:11:36
>
> Received From: ubuntu-dev->/var/log/apache2/access.log
> Rule: 31106 fired (level 12) -> "A web attack returned code 200
> (success)."
> Portion of the log(s):
>
> 10.1.1.182 - - [09/May/2007:09:11:36 -0400] "GET /phpmyadmin/
> tbl_change.php?
> db=mbintranetdb&table=wp_options&token=b34a8a55beeb46c2d936f8d9300a6aa6&pos=0&session_max_rows=30&disp_direction=horizontal&repeat_cells=100&dontlimitchars=0&primary_key=
> +%60wp_options%60.%60option_id%60+%3D+1+AND+%60wp_options%60.%60blog_id
> %60+%3D+0+AND+CONVERT%28%60wp_options%60.%60option_name%60+USING
> +utf8%29+%3D+%27siteurl%27&sql_query=SELECT+%2A+FROM+%60wp_options
> %60&goto=sql.php HTTP/1.1" 200 4660 "http://10.1.1.80/phpmyadmin/
> sql.php?
> db=wordpress&table=wp_options&token=b34a8a55beeb46c2d936f8d9300a6aa6&goto=tbl_properties_structure.php&back=tbl_properties_structure.php&pos=0"
> "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
> 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"
>
> The active response kicked in and blocked all traffic from my machine,
> so I added it to the white list on the OSSEC server by FQDN and IP,
> and restarted OSSEC on the server. Hoever every time I try to edit
> with phpmyadmin I still get the alert and active response.
>
> Do I need to add a whitelist in the agent config? Or something else?
>
>
