> Rick, > Thanks for sharing your rules. Is the event ID always going to be 3005? > You may want to double-check that. Looks like it would work, though. Is > there an exploit to check them? I'm not too current on the IIS stuff. > > I think OSSEC would also detect this attack indirectly through rule 31151.
Per the pages linked, the event id for the specific error I am monitoring for will be 3005. Advising of exploits is a little beyond my realm of comfort ;) but there is an automated toolkit available for the attack, I have not tried to run it. I don't know if 31151 "multiple 400 errors" would hit, I don't know for sure but I think the IIS log file would show http error 500, so rule 31162 may be the one in web_rules. Thanks Rick This message contains TMA Resources confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
