Does rule 31108 exist in 2.3? Is matching rule 31108 valid? If so, you should adjust your local rule.
On Tue, Apr 6, 2010 at 3:26 PM, Chad Robertson <[email protected]> wrote: > I might have a bug to report though hopefully someone else can verify it's > legit. > > Prior to updating to 2.4, I had a script that generates rules. These rules > were all dependent upon 31100 and worked by matching the requesting srcip. > After the update they no longer work as they did. > > Example rule: > > <group name="web"> > <rule id="100740" level="14"> > <if_sid>31100</if_sid> > <srcip>109.123.78.44</srcip> > <description>Evil Haxors!!</description> > </rule> > </group> > > Before update: > > **Phase 1: Completed pre-decoding. > full event: '2010-04-06 11:41:01 <hostname> x.x.x.x GET /evilfile.php > 80 - 109.123.78.44 HTTP/1.0 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) - - www.wantsfly.com 301 > hostname: 'test' > program_name: '(null)' > log: '2010-04-06 11:41:01 <hostname> x.x.x.x GET /evilfile.php 80 - > 109.123.78.44 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) - > - www.wantsfly.com 301' > > **Phase 2: Completed decoding. > decoder: 'windows-date-format' > url: '/prx2.php' > srcip: '109.123.78.44' > id: '301' > > **Phase 3: Completed filtering (rules). > Rule id: '100740' > Level: '14' > Description: 'Evil Haxors!!' > **Alert to be generated. > > > After update: > > ....<same as above>... > > **Phase 3: Completed filtering (rules). > Rule id: '31108' > Level: '0' > Description: 'Ignored URLs (simple queries).' > > > I verified that I had added my custom rules xml file back into the > ossec.conf after the update. It seems to load it (as shown in the ossec.log > file) but it just no longer works as it did. It's almost like the default > ruleset overrides my custom rules. If I change my rule to be dependant upon > 31108 instead of 31100, it works. > > To verify, I reverted back to 2.3 and (after adding the rule.xml file back > into the ossec.conf file) and it works again. > > > -- To unsubscribe, reply using "remove me" as the subject.
