They are right now, but the word could change. The website runs an application that provides our students with homework and lab resources that they use in our classes. It also servers as a repo for students to upload their homework files too. I have made the request to have the file names passed on POST instead of GET. That should solve the problem in the long term.
Thanks for your help. Joe Burleson Department of Computer Science Arkansas State University On Fri, Apr 9, 2010 at 15:27, dan (ddp) <[email protected]> wrote: > It looks ok to me. Are most of the examples of this firing related to > the term "midterm"? If so, you could filter that out specifically. > > On Thu, Apr 8, 2010 at 3:16 PM, Joe Burleson <[email protected]> > wrote: > > Hello, > > > > This is the first time I have had to tune a rule and I'm not entirely > sure > > how to adjust for this. > > > > ossec is firing > > > > Rule: 31106 fired (level 12) -> "A web attack returned code 200 > (success)." > > Portion of the log(s): > > > > [08/Apr/2010:12:51:41 -0500] "GET > > > /resources/12706692804bbcdfe0c656e/Excel%20Project%201%20-%20Midterm%20Gradebook%20Completed.zip > > HTTP/1.1" 200 18824 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT > 5.2; > > WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR > > 3.5.30729)" > > > > The "Midterm%20" part of the url is matching against this part of rule > > 31104: <url>cat%|exec%|rm%20</url> > > > > I know the simple (and maybe the best) solution would be to not use > spaces > > in file names, however, convincing professors and students to do that is > not > > an easy task. > > > > What I would like to do is create a custom rule in local_rules.xml, but I > > not sure if using a simple regex is the best solution. Here is what I was > > thinking: > > > > <group name="web,accesslog,"> > > > > <rule id="100001" level="0"> > > <if_sid>31106</if_sid> > > <regex>\Wrm%20</regex> > > <description>Word ending with rm%20 (false positive)</description> > > > > <group name="attack,"></group> > > </rule> > > </group> > > > > Any improvements/suggestions would be greatly appreciated. > > > > Thanks > > > > Joe Burleson > > Department of Computer Science > > Arkansas State University > > > > > -- > To unsubscribe, reply using "remove me" as the subject. >
