On Tue, Oct 16, 2012 at 10:32 AM, Leonardo Bacha Abrantes <[email protected]> wrote: > hey guys, > > > I received an alert about sucess on attack. > looking in my access.log I found the log that started this alert: > > 1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET > /sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694 > > > > > **Phase 1: Completed pre-decoding. > full event: '1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET > /sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694' > hostname: 'megatron' > program_name: '(null)' > log: '1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET > /sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694' > > **Phase 2: Completed decoding. > decoder: 'web-accesslog' > srcip: '1.2.3.4' > url: '/sample-folder/news/global-report..?page=91' > id: '200' > > **Phase 3: Completed filtering (rules). > Rule id: '31106' > Level: '6' > Description: 'A web attack returned code 200 (success).' > **Alert to be generated. > > > > The active response blocked the source ip. I checked Integrity > Checking database and it didn't show any changes on files, so, it was > a false positive. > Had anyone the same issue ? > > many thanks!
It looks like the ".." in the url might have triggered 31104? The web rules are unreliable, there's just too many ways for them to be wrong.
