Cf. the files in {$OSSECDIR}/rules/
There you will find a xml file called web_rules.xml
Within that file you will find rule 31106:
<rule id="31106" level="12">
<if_sid>31103, 31104, 31105</if_sid>
<id>^200</id>
<description>A web attack returned code 200 (success).</description>
<group>attack,</group>
</rule>
It states that if an event matches rule 31103-31105 (located in the same
file, they are scanning for url patterns that might resemble a web attack)
and the decoder extracted an ID starting with the string "200", a web attack
probably was succesful.
The message that matched the rule includes that a HTTP GET request for that
long URL happened.
%22text%22 is a part of that URL.
On Fri, Mar 19, 2010 at 10:37 AM, rob <[email protected]> wrote:
> Hi Guys
>
> I need more info around the rule 31106 and what it does. There is
> nothing on the wiki on ossec.net. I recieve the following alert:
>
> Rule: 31106 fired (level 12) -> "A web attack returned code 200
> (success)."
> Portion of the log(s):
>
> 18/Mar/2010:12:39:43 +0200] "GET /URL?mu=74bffe75-
> b11b-4f6a-9bf4-4434d906b98a&mp=&token=3150ce37-
> a8bb-4c31-8ada-8b313a7ec055&mn=TEXT&ttuText=Hi+there%0D%0A%0D%0AIs+it
> +possible+to+text+%22text%22+text%27text.+text%3F%0D%0A%0D%0AThanks%0D
> %0 HTTP/1.0" 200 18 "-" "-"
>
> The alerts has been modified a bit but the message is still the same.
> Why did it get set off?
> Was it the %22text%22 section of the message?
>
> Thanks Robert
>
> To unsubscribe from this group, send email to ossec-list+
> unsubscribegooglegroups.com or reply to this email with the words "REMOVE
> ME" as the subject.
>
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
"REMOVE ME" as the subject.
