On Fri, Nov 14, 2014 at 9:14 AM, António Godinho <[email protected]> wrote: > Hi, > > I've a server for OSSEC and several agents. > One of the agents is monitoring a JBOSS server, and sometimes it blocks > traffic with a false posive firing rule 31533: > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------ > Received From: (netp) 192.168.222->/var/log/nginx/access.log > Rule: 31533 fired (level 10) -> "High amount of POST requests in a small > period of time (likely bot)." > Portion of the log(s): > > 192.168.100.150 - - [14/Nov/2014:13:10:02 +0000] "POST > /netpa/DIFTasks?&_AP_=3&_MD_=1&_SR_=DIRAL&_ST_=2&cdDocente=&nomeAluno=&cdLectivo=56345&cdDuracao=&cdInstituic=1&cdASCur=34563&cod_curso=4563&nomeCurso=Engenharia%20Inform%E1tica%20e%20de%20Sistemas&cdDiscip=24106&dsDiscip=Programa%E7%E3o%20Avan%E7ada&COMP=dirAlunos > HTTP/1.1" 200 3311 > "https://xpto.isec.pt/netpa/DIFTasks?_PR_=1&_AP_=3&_MD_=1&_SR_=DIRAL&_ST_=1"; > "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" > "-" > ........ > ------------------------------------------------------------------------------------------------------------------------------------------------------------------ > > I want to make that OSSEC (or the Agent on that server) to ignore those > warnings. On the server I've added this to the local_rules.xml. This first > rule (100001) doesn't seams to work. I'm still waiting for the results on > rule 100002. > > <group name="web,appsec,attack"> > > <rule id="100001" level="0"> > <if_sid>31533</if_sid> > <dstip>192.168.222</dstip> > <description>Rule that will igore: High amount of POST requests in a > small period of time (likely bot).</description> > </rule> > <rule id="100002" level="0"> > <if_sid>31533</if_sid> > <url>/netpa/DIFTasks</url> > <regex> "POST /netpa/DIFTasks?\S</regex> > <description>Rule that will igore: High amount of POST requests in a > small period of time (likely bot).</description> > </rule> > > </group> > > Is this the correct way to do this? This will work? If not how can I make it > work? >
I generally get this wrong, so test test test. I think <location>AGENT NAME</location> might limit a rule to a specific agent. > Best regards, > > António Godinho > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
