I'd strongly suggest avoiding any active reponses on the web attack
rules until you've tweaked them to fit your applications ;-)
(and even then I'd really be careful since an attacker can use CSRF on a
random site in the internet to cause a victim to send queries to your
server that will trigger your active response)
On 10/16/2012 9:32 AM, Leonardo Bacha Abrantes wrote:
hey guys,
I received an alert about sucess on attack.
looking in my access.log I found the log that started this alert:
1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET
/sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694
**Phase 1: Completed pre-decoding.
full event: '1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET
/sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694'
hostname: 'megatron'
program_name: '(null)'
log: '1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET
/sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '1.2.3.4'
url: '/sample-folder/news/global-report..?page=91'
id: '200'
**Phase 3: Completed filtering (rules).
Rule id: '31106'
Level: '6'
Description: 'A web attack returned code 200 (success).'
**Alert to be generated.
The active response blocked the source ip. I checked Integrity
Checking database and it didn't show any changes on files, so, it was
a false positive.
Had anyone the same issue ?
many thanks!
