Hi I'm running into an issue where the active-response is seeing a bruteforce attempt when this is not the case.
When using a certain joomla plugin the logs pick up the following Received From: (SRV) SERVER->/mnt/data/vhosts/WEBSITE.info/logs/access_log Rule: 31510 fired (level 8) -> "CMS (WordPress or Joomla) brute force attempt." Portion of the log(s): 78.133.70.43 - - [12/Jun/2015:18:11:50 +0100] "POST /administrator/index.php HTTP/1.1" 200 159 " http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36" 78.133.70.43 - - [12/Jun/2015:18:11:49 +0100] "POST /administrator/index.php HTTP/1.1" 200 159 " http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36" 78.133.70.43 - - [12/Jun/2015:18:11:48 +0100] "POST /administrator/index.php HTTP/1.1" 200 159 " http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36" 78.133.70.43 - - [12/Jun/2015:18:11:47 +0100] "POST /administrator/index.php HTTP/1.1" 200 159 " http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36" 78.133.70.43 - - [12/Jun/2015:18:11:45 +0100] "POST /administrator/index.php HTTP/1.1" 200 159 " http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36" 78.133.70.43 - - [12/Jun/2015:18:11:44 +0100] "POST /administrator/index.php HTTP/1.1" 200 159 " http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36" 78.133.70.43 - - [12/Jun/2015:18:11:43 +0100] "POST /administrator/index.php HTTP/1.1" 200 159 " http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36" 78.133.70.43 - - [12/Jun/2015:18:11:41 +0100] "POST /administrator/index.php HTTP/1.1" 200 159 " http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36" And active response kicks in and get blocked. I cannot whitelist since its not a static IP. I cannot disable this rule as it has several true bruteforce attempts a day. Is there any way I can whitelist this com_breezingforms string so it doesnt fire. Thanks. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
