Hello,
This is the first time I have had to tune a rule and I'm not entirely sure
how to adjust for this.
ossec is firing
Rule: 31106 fired (level 12) -> "A web attack returned code 200 (success)."
Portion of the log(s):
[08/Apr/2010:12:51:41 -0500] "GET
/resources/12706692804bbcdfe0c656e/Excel%20Project%201%20-%20Midterm%20Gradebook%20Completed.zip
HTTP/1.1" 200 18824 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2;
WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)"
The "Midterm%20" part of the url is matching against this part of rule
31104: <url>cat%|exec%|rm%20</url>
I know the simple (and maybe the best) solution would be to not use spaces
in file names, however, convincing professors and students to do that is not
an easy task.
What I would like to do is create a custom rule in local_rules.xml, but I
not sure if using a simple regex is the best solution. Here is what I was
thinking:
<group name="web,accesslog,">
<rule id="100001" level="0">
<if_sid>31106</if_sid>
<regex>\Wrm%20</regex>
<description>Word ending with rm%20 (false positive)</description>
<group name="attack,"></group>
</rule>
</group>
Any improvements/suggestions would be greatly appreciated.
Thanks
Joe Burleson
Department of Computer Science
Arkansas State University
--
To unsubscribe, reply using "remove me" as the subject.
