Daniel, Thank you so much for your answer. I will try your suggestion today.
By the way, I am relatively new to OSSEC and have been enjoying your product. I am using it on about a dozen linux servers and I plan on becoming more proficient with it. --Gil Vidals On Mon, Mar 1, 2010 at 10:28 AM, Daniel Cid <[email protected]> wrote: > Hi Gil, > > You need to use <if_sid> instead of <if_matched_sid>. The later is > only used for > composite rules (when matching across multiple events). > > hope that helps. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Sun, Feb 28, 2010 at 11:41 PM, Gil Vidals <[email protected]> wrote: > > I am trying to override part of rule 31106, but it's not working. Any > help > > or hints would be most welcome. I'm trying to avoid getting notified when > > this condition occurs: > > Received From: (croatia) > > 192.168.0.100->/hsphere/local/home/cpanel/apache/logs/access_log > > Rule: 31106 fired (level 12) -> "A web attack returned code 200 > (success)." > > Portion of the log(s): > > > > 173.85.169.203 - - [27/Feb/2010:01:27:34 -0800] "GET > > > /studio/servlet/psoft.counter.CounterService?action=count&id=411&accept-language=undefined&user-agent=Mozilla/5.0%20%28Windows%3B%20U%3B%20Windows%20NT%205.1%3B%20en-US%3B%20rv%3A1.9.1.8%29%20Gecko/20100202%20Firefox/3.5.8%20% > 28.NET%20CLR%203.5.30729%29&size=1024&colors=32&ref=http%3A// > www.google.com/search%3Fhl%3Den%26client%3Dfirefox-a%26hs%3DFWJ%26rls%3Dorg.mozilla%3Aen-US%3Aofficial%26ei%3DfOWIS46EEYP18QaRxe2aDw%26sa%3DX%26oi%3Dspellfullpage%26resnum%3D0%26ct%3Dresult%26cd%3D2%26ved%3D0CAYQvwUoAQ%26%26q%3Dspirit+life+christian+church+las+vegas%26spell%3D1&java=true&rand=0.057259379032712276HTTP/1.1" > > 200 180 > > > > > > Here is my first "failed" attempt of writing an override rule: > > <group name="web,accesslog,"> > > <!-- level one will still log it but not report it; if you do not want > to > > log it at all use level="0" --> > > <rule id="100101" level="1" timeframe="160"> > > <if_matched_sid>31106</if_matched_sid> > > <regex>psoft.counter.CounterService</regex> > > <description>sitestudio counter is not a web attack</description> > > <group name="attack,"></group> > > </rule> > > </group> > > And here are the rules that are responsible for the ossec alert I am > trying > > to turn off. > > <rule id="31104" level="6"> > > <if_sid>31100</if_sid> > > <!-- Attempt to do directory transversal, simple sql injections, > > - or access to the etc or bin directory (unix). --> > > <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..</url> > > <url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|</url> > > <url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%|</url> > > <url>cat%|exec%|rm%20</url> > > <description>Common web attack.</description> > > <info>http://www.armbrustconsulting.com/LogEntries.html</info> > > <group>attack,</group> > > </rule> > > <rule id="31105" level="6"> > > <if_sid>31100</if_sid> > > > <url>%3Cscript|%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url> > > <url>%20ONLOAD=|INPUT%20|iframe%20</url> > > <description>XSS (Cross Site Scripting) attempt.</description> > > <group>attack,</group> > > </rule> > > > > <rule id="31106" level="12"> > > <if_sid>31103, 31104, 31105</if_sid> > > <id>^200</id> > > <description>A web attack returned code 200 (success).</description> > > <group>attack,</group> > > </rule> > > I would appreciate any help and advice. > > Thank you. > > Gil Vidals > > > > >
