Hi, I just upgraded to 2.0 and I still see this bug has not yet been addressed (Bug ID 184). :-( OSSEC does send an e-mail warning out but no active-response takes place. Here is the e-mail I get from ossec and the apache log entry if that helps:
OSSEC HIDS Notification. 2009 Mar 21 16:13:43 Received From: (Web_Server240) xxx.xxx.xxx.xxx->/var/log/httpd/access_log Rule: 31115 fired (level 13) -> "URL too long. Higher than allowed on most browsers. Possible attack." Portion of the log(s): 209.222.78.162 - /hsphere/local/home/user/domain.com/index.php - [21/Mar/2009:16:13:42 -0400] "GET /amtwiki/index.php/Special:Search?search=Hello%2C+kittin%21%0D%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww3.unileon.es%2Fpersonal%2Fwwdderae%2Fmoodle%2Fuser%2Fview.php%3Fid%3D373%26course%3D1+%22%3Erape+seed%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww.gwsp.gliwice.pl%2Fmoodle%2Fuser%2Fview.php%3Fid%3D1466%26course%3D1+%22%3Ejapanese+rape+porn%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fmoodle.esev.ipv.pt%2Fcftr%2Fuser%2Fview.php%3Fid%3D1323%26course%3D1+%22%3Eviolent+porn%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww.teclim.ufba.br%2Fmoodle%2Fuser%2Fview.php%3Fid%3D465%26course%3D1+%22%3Erape+hentai%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww.desarrollo-tecnologico.com%2Faula%2Fuser%2Fview.php%3Fid%3D1209%26course%3D1+%22%3Ebrother+rapes+sister%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww.aprendaki.net%2Fmoodle%2Fuser%2Fview.php%3Fid%3D684%26course%3D1+%22%3Eforced+sex+videos%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwwwb5.cyc.edu.tw%2Fmoodle%2Fuser%2Fview.php%3Fid%3D140%26course%3D1+%22%3Erape+sex%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww.lasequia.org%2Fgrundtvig2%2Fuser%2Fview.php%3Fid%3D72%26course%3D1+% And here is apache log entry: 209.222.78.162 - /hsphere/local/home/user/domain.com/index.php - [21/Mar/2009:16:13:42 -0400] "GET /amtwiki/index.php/Special:Search?search=Hello%2C+kittin%21%0D%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww3.unileon.es%2Fpersonal%2Fwwdderae%2Fmoodle%2Fuser%2Fview.php%3Fid%3D373%26course%3D1+%22%3Erape+seed%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww.gwsp.gliwice.pl%2Fmoodle%2Fuser%2Fview.php%3Fid%3D1466%26course%3D1+%22%3Ejapanese+rape+porn%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fmoodle.esev.ipv.pt%2Fcftr%2Fuser%2Fview.php%3Fid%3D1323%26course%3D1+%22%3Eviolent+porn%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww.teclim.ufba.br%2Fmoodle%2Fuser%2Fview.php%3Fid%3D465%26course%3D1+%22%3Erape+hentai%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww.desarrollo-tecnologico.com%2Faula%2Fuser%2Fview.php%3Fid%3D1209%26course%3D1+%22%3Ebrother+rapes+sister%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww.aprendaki.net%2Fmoodle%2Fuser%2Fview.php%3Fid%3D684%26course%3D1+%22%3Eforced+sex+videos%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwwwb5.cyc.edu.tw%2Fmoodle%2Fuser%2Fview.php%3Fid%3D140%26course%3D1+%22%3Erape+sex%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww.lasequia.org%2Fgrundtvig2%2Fuser%2Fview.php%3Fid%3D72%26course%3D1+%22%3Eprison+rape%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww.virtuaula.org%2Fuser%2Fview.php%3Fid%3D3137%26course%3D1+%22%3Erape+poems%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww.e-metafora.com%2Fedutaiment%2Fuser%2Fview.php%3Fid%3D1661%26course%3D1+%22%3Efather+daughter+rape%3C%2Fa%3E%0A%0D%0AEnd+%5E%29+bye+kittin&go=Go&fulltext=Search HTTP/1.0" 200 15225 ?search=Hello%2C+kittin%21%0D%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww3.unileon.es%2Fpersonal%2Fwwdderae%2Fmoodle%2Fuser%2Fview.php%3Fid%3D373%26course%3D1+%22%3Erape+seed%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww.gwsp.gliwice.pl%2Fmoodle%2Fuser%2Fview.php%3Fid%3D1466%26course%3D1+%22%3Ejapanese+rape+porn%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fmoodle.esev.ipv.pt%2Fcftr%2Fuser%2Fview.php%3Fid%3D1323%26course%3D1+%22%3Eviolent+porn%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww.teclim.ufba.br%2Fmoodle%2Fuser%2Fview.php%3Fid%3D465%26course%3D1+%22%3Erape+hentai%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww.desarrollo-tecnologico.com%2Faula%2Fuser%2Fview.php%3Fid%3D1209%26course%3D1+%22%3Ebrother+rapes+sister%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww.aprendaki.net%2Fmoodle%2Fuser%2Fview.php%3Fid%3D684%26course%3D1+%22%3Eforced+sex+videos%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwwwb5.cyc.edu.tw%2Fmoodle%2Fuser%2Fview.php%3Fid%3D140%26course%3D1+%22%3Erape+sex%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww.lasequia.org%2Fgrundtvig2%2Fuser%2Fview.php%3Fid%3D72%26course%3D1+%22%3Eprison+rape%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww.virtuaula.org%2Fuser%2Fview.php%3Fid%3D3137%26course%3D1+%22%3Erape+poems%3C%2Fa%3E%0Asex+%3Ca+href%3D%22+http%3A%2F%2Fwww.e-metafora.com%2Fedutaiment%2Fuser%2Fview.php%3Fid%3D1661%26course%3D1+%22%3Efather+daughter+rape%3C%2Fa%3E%0A%0D%0AEnd+%5E%29+bye+kittin&go=Go&fulltext=Search "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)" --END OF NOTIFICATION I've updated the bug report...lets hope we can get a fix one of these days :-) SW Todd Long wrote: > I see there's been a previous discussion about Active Response not > working with Rule 31115 "URL too long." > (http://groups.google.com/group/ossec-list/browse_thread/thread/277c7b721cc5795b/5f0759874c21e8d7?hl=en&lnk=gst&q=31115#5f0759874c21e8d7). > > > I'm seeing the same behavior. The source IP address is in the OSSEC > logs. Has this issue been solved and I'm missing something in the > configuration, or has this never been addressed? > > <command> > <name>firewall-drop</name> > <executable>pf.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <active-response> > <command>firewall-drop</command> > <location>defined-agent</location> > <agent_id>003</agent_id> > <rules_id>31115</rules_id> > <timeout>86400</timeout> > </active-response> > > I'm using FreeBSD, so I've changed <executable> to pf.sh. If I change > the <rules_id> to 31151 "Mutiple web server 400 error codes from same > source ip", Active Response acts the way I expect it to. > > > Thanks > > Todd Long > >
