hey guys,
I received an alert about sucess on attack.
looking in my access.log I found the log that started this alert:
1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET
/sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694
**Phase 1: Completed pre-decoding.
full event: '1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET
/sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694'
hostname: 'megatron'
program_name: '(null)'
log: '1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET
/sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '1.2.3.4'
url: '/sample-folder/news/global-report..?page=91'
id: '200'
**Phase 3: Completed filtering (rules).
Rule id: '31106'
Level: '6'
Description: 'A web attack returned code 200 (success).'
**Alert to be generated.
The active response blocked the source ip. I checked Integrity
Checking database and it didn't show any changes on files, so, it was
a false positive.
Had anyone the same issue ?
many thanks!
