Hi, I've a server for OSSEC and several agents. One of the agents is monitoring a JBOSS server, and sometimes it blocks traffic with a false posive firing rule 31533:
------------------------------------------------------------------------------------------------------------------------------------------------------------------ Received From: (netp) 192.168.222->/var/log/nginx/access.log Rule: 31533 fired (level 10) -> "High amount of POST requests in a small period of time (likely bot)." Portion of the log(s): 192.168.100.150 - - [14/Nov/2014:13:10:02 +0000] "POST /netpa/DIFTasks?&_AP_=3&_MD_=1&_SR_=DIRAL&_ST_=2&cdDocente= &nomeAluno=&cdLectivo=56345&cdDuracao=&cdInstituic=1& cdASCur=34563&cod_curso=4563&nomeCurso=Engenharia%20Inform% E1tica%20e%20de%20Sistemas&cdDiscip=24106&dsDiscip= Programa%E7%E3o%20Avan%E7ada&COMP=dirAlunos HTTP/1.1" 200 3311 " https://xpto.isec.pt/netpa/DIFTasks?_PR_=1&_AP_=3&_MD_=1&_SR_=DIRAL&_ST_=1 <https://netp.isec.pt/netpa/DIFTasks?_PR_=1&_AP_=3&_MD_=1&_SR_=DIRAL&_ST_=1>" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" "-" ........ ------------------------------------------------------------------------------------------------------------------------------------------------------------------ I want to make that OSSEC (or the Agent on that server) to ignore those warnings. On the server I've added this to the local_rules.xml. This first rule (100001) doesn't seams to work. I'm still waiting for the results on rule 100002. <group name="web,appsec,attack"> <rule id="100001" level="0"> <if_sid>31533</if_sid> <dstip>192.168.222</dstip> <description>Rule that will igore: High amount of POST requests in a small period of time (likely bot).</description> </rule> <rule id="100002" level="0"> <if_sid>31533</if_sid> <url>/netpa/DIFTasks</url> <regex> "POST /netpa/DIFTasks?\S</regex> <description>Rule that will igore: High amount of POST requests in a small period of time (likely bot).</description> </rule> </group> Is this the correct way to do this? This will work? If not how can I make it work? Best regards, António Godinho -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
