[ossec-list] Re: OSSEC and phpmyadmin

Wed, 01 Aug 2007 16:38:25 -0700 

Hi LNick,

As Steve suggested, the best way to ignore those is by creating a
local rule. A simple
one would be:

<rule id="100013" level="0">
    <if_sid>31103</if_sid>
    <url>^/phpmyadmin/</url>
    <description>Ignoring phpMyAdmin events.</description>
</rule>

Just copy it to your /var/ossec/rules/local_rules.xml and it should
solve your problem.
Regarding the white list, it should have worked too, but you would
still get the alerts,
but not the active response. If you can show us your ossec config and
active response
log, we can try to see what is going on..

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On 5/9/07, LNick <[EMAIL PROTECTED]> wrote:
>
> Hello,
>
> I was attempting to edit a mysql table using phpmyadmin on a system I
> have an OSSEC agent installed.  I got the following alert:
>
> OSSEC HIDS Notification.
> 2007 May 09 09:11:36
>
> Received From: ubuntu-dev->/var/log/apache2/access.log
> Rule: 31106 fired (level 12) -> "A web attack returned code 200
> (success)."
> Portion of the log(s):
>
> 10.1.1.182 - - [09/May/2007:09:11:36 -0400] "GET /phpmyadmin/
> tbl_change.php?
> db=mbintranetdb&table=wp_options&token=b34a8a55beeb46c2d936f8d9300a6aa6&pos=0&session_max_rows=30&disp_direction=horizontal&repeat_cells=100&dontlimitchars=0&primary_key=
> +%60wp_options%60.%60option_id%60+%3D+1+AND+%60wp_options%60.%60blog_id
> %60+%3D+0+AND+CONVERT%28%60wp_options%60.%60option_name%60+USING
> +utf8%29+%3D+%27siteurl%27&sql_query=SELECT+%2A+FROM+%60wp_options
> %60&goto=sql.php HTTP/1.1" 200 4660 "http://10.1.1.80/phpmyadmin/
> sql.php?
> db=wordpress&table=wp_options&token=b34a8a55beeb46c2d936f8d9300a6aa6&goto=tbl_properties_structure.php&back=tbl_properties_structure.php&pos=0"
> "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
> 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"
>
> The active response kicked in and blocked all traffic from my machine,
> so I added it to the white list on the OSSEC server by FQDN and IP,
> and restarted OSSEC on the server.  Hoever every time I try to edit
> with phpmyadmin I still get the alert and active response.
>
> Do I need to add a whitelist in the agent config?  Or something else?
>
>

Reply via email to