Hi Steve, I think it may be related to the size of the URL. If the log entry is above 8k, OSSEC will just cut the rest of the message and only use the first part. Because of that, the rest of the Apache log will not the parse and the decoder will fail, hence not getting the IP address. If you can open a bug about it at http://www.ossec.net/bugs/ , I will make sure to address that for a next release/snapshot.
*Also, if you look at /var/ossec/logs/alerts.log for this entry, it should have no ip address parsed in there... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Jan 29, 2008 3:45 AM, Steve West <[EMAIL PROTECTED]> wrote: > > OSSEC version: 1.3 > OS: CentOS release 5 (Final) > > Hi, > > Active response seems to work w/ certain rules but not others. Just > wondering if anyone know why the following web_rules.xml default rule > doesn't generate an active response even though the level 13 is above > what we have configured for an active response triggers: > > <rule id="31115" level="13" maxsize="2900"> > <if_sid>31100</if_sid> > <description>URL too long. Higher than allowed on most </description> > <description>browsers. Possible attack.</description> > <group>invalid_access,</group> > </rule> > > The ossec.conf file has the following for active response: > > <active-response> > <command>host-deny</command> > <location>local</location> > <level>6</level> > <timeout>900</timeout> > </active-response> > > <active-response> > <command>firewall-drop</command> > <location>local</location> > <level>6</level> > <timeout>900</timeout> > </active-response> > > Thanks, > > SW > >
