Hi all,
We have OSSEC running in production and I can say that this is a
quality program that is delivering deeper intelligence into our systems
from a security standpoint than we previously had, and it is a very nice
complimentary component to our NIDS. Keep up the good work OSSEC
developers!
We run a hosting business and primary do custom development and hosting
of the SugarCRM application. SugarCRM creates some very nasty URLs on
occasion such as the one pasted below, which in turn trip the OSSEC log
monitoring for Apache. I'm wondering what the best way is to craft a
rule that will stop alerting on similar URLs such as this while at the
same time, not missing real attacks which use long URLs. Any help would
be appreciated.
OSSEC HIDS Notification.
2007 Aug 28 09:18:26
Received From: (sugar1) X.X.X.X->/usr/local/apache2/logs/access_log
Rule: 31115 fired (level 13) -> "URL too long. Higher than allowed on
most browsers. Possible attack."
Portion of the log(s):
Y.Y.Y.Y - - [28/Aug/2007:09:18:24 -0400]
"GET
/triptophanicol/index.php?account_name=artus&module=Cases&action=Popup&query=true&request_data=%7Basynchronous_key%3A%26%2BA30%3B6591eb55-aBf1-c642-6123-46d41efda54a%26%23039%3B%2C+jsonObject%3A%7B%26quot%3B%5Cu0063%5Cu0061%5Cu006c%5Cu006c%5Cu005f%5Cu0062%5Cu0061%5Cu0063%5Cu006b%5Cu005f%5Cu0066%5Cu0075%5Cu006e%5Cu0063%5Cu0074%5Cu0069%5Cu006f%5Cu006e%26quot%3B%3A%26quot%3B%5Cu0073%5Cu0065%5Cu0074%5Cu005f%5Cu0072%5Cu0065%5Cu0074%5Cu0075%5Cu0072%5Cu006e%5Cu005f%5Cu0061%5Cu006e%5Cu0064%u9FC6af%5Cu0073%5Cu0061%5Cu0076%5Cu0065%5Cu005f%5Cu0062%5Cu0061%5Cu0063%5Cu006b%5Cu0067%5Cu0072%5Cu006f%5Cu0075%5Cu006e%5Cu0064%26quot%3B%2C%26quot%3B%5Cu0066%5Cu006f%5Cu0072%5Cu006d%5Cu005f%5Cu006e%5Cu0061%5Cu006d%5Cu0065%26quot%3B%3A%26quot%3B%5Cu0044%5Cu0065%5Cu0074%5Cu0061%5Cu0069%5Cu006c%5Cu0056%5Cu0069%5Cu0065%5Cu0077%26quot%3B%2C%26quot%3B%5Cu0066%5Cu0069%5Cu0065%5Cu006c%5Cu0064%5Cu005f%5Cu0074%5Cu006f%5Cu005f%5Cu006e%5Cu0061%5Cu006d%5Cu0
065%58Bd76f%5Cu0061%5Cu0072%5Cu0072%5Cu0061%5Cu0079%26quot%3B%3A%7B%
26quot%3B%5Cu0069%5Cu0064%26quot%3B%3A%26quot%3B%5Cu0073%5Cu0075%
5Cu0062%5Cu0070%5Cu0061%5Cu006e%5Cu0065%5Cu006c%5Cu005f%5Cu0069%5Cu0064%
26quot%3B%7D%2C%26quot%3B%5Cu0070%5C600u61%5Cu0073%5Cu0073%5Cu
--END OF NOTIFICATION
Best regards,
Clayton Dillard
Director of Information Technology
RPS Technology LLC
Tel: 919-319-4301 x205
www.rpstechnology.com
The information in this e-mail, and any attachment therein, is
confidential
and for use by the addressee only. If you are not the intended
recipient,
please return the e-mail to the sender and delete it from your computer.
Although RPS Technology attempts to sweep e-mail and attachments for
viruses, it does not guarantee that either are virus-free and accepts no
liability for any damage sustained as a result of viruses.
