Re: [ossec-list] Re: Test script for ossec ids on apache logs?

Rodrigo Montoro(Sp0oKeR) Tue, 28 Apr 2015 17:40:47 -0700

Seems like wrong decoder came back to source again. Just doing some tests

198.74.50.XXX - - [28/Apr/2015:16:45:42 -0700] "GET / HTTP/1.1" 200 6389
"-" "testuseragent"



**Phase 1: Completed pre-decoding.
       full event: '198.74.50.XXX - - [28/Apr/2015:16:45:42 -0700] "GET /
HTTP/1.1" 200 6389 "-" "testuseragent"'
       hostname: 'spookerlabs'
       program_name: '(null)'
       log: '198.74.50.XXX - - [28/Apr/2015:16:45:42 -0700] "GET /
HTTP/1.1" 200 6389 "-" "testuseragent"'

**Phase 2: Completed decoding.
       decoder: 'pure-transfer'

**Phase 3: Completed filtering (rules).
       Rule id: '11310'
       Level: '0'
       Description: 'Rule grouping for pure ftpd transfers.'

Disabled pure-transfer decoder and rule, so it worked fine


198.74.50.XXX - - [28/Apr/2015:16:45:42 -0700] "GET / HTTP/1.1" 200 6389
"-" "testuseragent"

**Phase 1: Completed pre-decoding.
      full event: '198.74.50.XXX - [28/Apr/2015:16:45:42 -0700] "GET /
HTTP/1.1" 200 6389 "-" "testuseragent"'
      hostname: 'spookerlabs'
      program_name: '(null)'
      log: '198.74.50.XXX - - [28/Apr/2015:16:45:42 -0700] "GET / HTTP/1.1"
200 6389 "-" "testuseragent"'
**Phase 2: Completed decoding.
      decoder: 'web-accesslog'
      srcip: '198.74.50.XXX'
      url: '/'
      id: '200'
**Phase 3: Completed filtering (rules).
      Rule id: '31108'
      Level: '0'
      Description: 'Ignored URLs (simple queries).'


Thanks


On Mon, Dec 29, 2014 at 12:39 PM, Glenn Ford <[email protected]> wrote:

> Awesome Thanks! So #2 solution is I could pull source code and build..
>
> Hrmm. :)
>
> On Wednesday, December 24, 2014 1:42:49 PM UTC-5, Glenn Ford wrote:
>
>> Hello All!
>>
>> Thanks to Dan I have a basic setup in place. I'd like to verify/test the
>> IDS is working properly for my apache logs.
>>
>> Is there a test attack script people use to flex the OSSEC IDS component
>> on apache logs?
>>
>> I could just run a dynamic pen test scanner (ibm appscan,etc) I guess?
>>
>> TIA!
>>
>> Glenn
>>
>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Rodrigo Montoro (Sp0oKeR)
http://spookerlabs.blogspot.com
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Test script for ossec ids on apache logs?

Reply via email to