Hi,
OSSEC is open source. It should be fairly easy to take a look at what
the rule 31106 is about. :)
It references rule 31103, which looks for things like:
<url>='|select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url>
<url>union+|where+|null,null|xp_cmdshell</url>
And it references rule 31104, which looks for:
<url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..</url>
<url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|</url>
<url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%|</url>
<url>cat%|exec%|rm%20</url>
And it references rule 31105, which looks for:
<url>%3Cscript|%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url>
<url>%20ONLOAD=|INPUT%20|iframe%20</url>
Now it is an exercise for you. :) Find if any of those match your log.
If yes, then you're under attack. If no, it might be a false positive.
And I might overlooked some more references to other rules...
On 2010-03-19, rob <[email protected]> wrote:
> Hi Guys
>
> I need more info around the rule 31106 and what it does. There is
> nothing on the wiki on ossec.net. I recieve the following alert:
>
> Rule: 31106 fired (level 12) -> "A web attack returned code 200
> (success)."
> Portion of the log(s):
>
> 18/Mar/2010:12:39:43 +0200] "GET /URL?mu=74bffe75-
> b11b-4f6a-9bf4-4434d906b98a&mp=&token=3150ce37-
> a8bb-4c31-8ada-8b313a7ec055&mn=TEXT&ttuText=Hi+there%0D%0A%0D%0AIs+it
> +possible+to+text+%22text%22+text%27text.+text%3F%0D%0A%0D%0AThanks%0D
> %0 HTTP/1.0" 200 18 "-" "-"
>
> The alerts has been modified a bit but the message is still the same.
> Why did it get set off?
> Was it the %22text%22 section of the message?
>
> Thanks Robert
>
> To unsubscribe from this group, send email to
> ossec-list+unsubscribegooglegroups.com or reply to this email with the words
> "REMOVE ME" as the subject.
>
--
http://nk99.org/
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
"REMOVE ME" as the subject.
