rob wrote: > Rule: 31106 fired (level 12) -> "A web attack returned code 200 > (success)." > Portion of the log(s): > > 18/Mar/2010:12:39:43 +0200] "GET /URL?mu=74bffe75- > b11b-4f6a-9bf4-4434d906b98a&mp=&token=3150ce37- > a8bb-4c31-8ada-8b313a7ec055&mn=TEXT&ttuText=Hi+there%0D%0A%0D%0AIs+it > +possible+to+text+%22text%22+text%27text.+text%3F%0D%0A%0D%0AThanks%0D > %0 HTTP/1.0" 200 18 "-" "-"
As other have noted, this is basically an indication that there was an attack pattern triggered, followed by a 200 (success). I have found this rule to be somewhat unreliable since HTTP is stateless and the original rule that was triggered could be a false positive. Bottom line: tuning is required. -- Michael Starks [I] Immutable Security http://www.immutablesecurity.com To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
