I get a lot of 404 alerts, and I let OSSEC block access when it's multiples from the same IP. Typically, they're looking for phpmyadmin or other common (and probably poorly secured tools) in a number of locations.
On 01/24/2012 11:33 PM, Damien Hull wrote: > It looks like someone was requesting thee favicon and the server > replied with "404"... How does that equal a level 10 alert? Anyway, > here's the log info. > > GET /theme/image.php?theme=moodlebook&image=favicon&rev=282&component=theme > HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT > 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET > CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; IPH > 1.1.21.4019)" > > On Tue, Jan 24, 2012 at 10:32 AM, Jason 'XenoPhage' Frisvold > <[email protected]> wrote: >> On Jan 24, 2012, at 8:37 AM, Joe Gedeon wrote: >>> You should look at your logs and see what is triggering the 400's and >>> fix that issue if it is a server side issue. >> >> Agreed. Basically, the web browser is trying to obtain something from the >> server that's just not there. Thus, 400 errors are triggered. As a result, >> OSSEC sees a bunch of these fly by and considers it an attack. It's far >> better to fix the underlying problem than to alter OSSEC to ignore such >> things. >> -- -- Steve
