Hi guys.
I'm using SVN for a book project. Well, SVN causes a lot of errors and
bans in ossec and so I wrote a new role for this repository. This rule
should match every SVN repository log entry. But one rule still fires
and block the up/download. Here is my written rule:
<rule id="100003" level="0">
<if_sid>31101, 31104</if_sid>
<id>^404</id>
<url>^/nyrothia</url>
<description>Ignored 404 error codes for url /nyrothia</description>
<group>web_scan,recon,</group>
</rule>
The rule 31104 still fires.
** Alert 1243096755.197906: - web,accesslog,attack,
2009 May 23 18:39:15 kokyt0s->/var/log/apache2/access_nyrothia.de_ssl.log
Rule: 31104 (level 6) -> 'Common web attack.'
Src IP: xxx.xxx.xxx.xxx
User: (none)
xxx.xxx.xxx.xxx - user1 [23/May/2009:18:39:15 +0200] "PROPPATCH
/nyrothia/!svn/wrk/9ba6f11b-713d-43aa-b863-e6e77c10942f/n_skizzen/dampfeisenwurm%20concepts.xcf
HTTP/1.1" 207 504 "-" "SVN/1.5.1 (r32289) neon/0.28.2"
(yeah, unfortunately the filename contents "rm%20")
Can some give me a hint why the rule 31104 still fires? How can I solve
this?
Thanks in advance.
--
Andre Pawlowski
-------------------------------------------------------------------
Wenn unsere Götter und Hoffnungen nichts als wissenschaftliche Phänomene sind,
dann müssen wir unsere Liebe auch als Wissenschaft bezeichnen.
-L'eve Future
