On Thu, Jun 18, 2015 at 10:24 AM, Naithan Weigh <[email protected]> wrote: > Hi > > I'm running into an issue where the active-response is seeing a bruteforce > attempt when this is not the case. > > When using a certain joomla plugin the logs pick up the following > > > Received From: (SRV) SERVER->/mnt/data/vhosts/WEBSITE.info/logs/access_log > > Rule: 31510 fired (level 8) -> "CMS (WordPress or Joomla) brute force > attempt." > > Portion of the log(s): > > > > 78.133.70.43 - - [12/Jun/2015:18:11:50 +0100] "POST /administrator/index.php > HTTP/1.1" 200 159 > "http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1"; > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/43.0.2357.124 Safari/537.36" > > 78.133.70.43 - - [12/Jun/2015:18:11:49 +0100] "POST /administrator/index.php > HTTP/1.1" 200 159 > "http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1"; > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/43.0.2357.124 Safari/537.36" > > 78.133.70.43 - - [12/Jun/2015:18:11:48 +0100] "POST /administrator/index.php > HTTP/1.1" 200 159 > "http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1"; > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/43.0.2357.124 Safari/537.36" > > 78.133.70.43 - - [12/Jun/2015:18:11:47 +0100] "POST /administrator/index.php > HTTP/1.1" 200 159 > "http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1"; > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/43.0.2357.124 Safari/537.36" > > 78.133.70.43 - - [12/Jun/2015:18:11:45 +0100] "POST /administrator/index.php > HTTP/1.1" 200 159 > "http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1"; > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/43.0.2357.124 Safari/537.36" > > 78.133.70.43 - - [12/Jun/2015:18:11:44 +0100] "POST /administrator/index.php > HTTP/1.1" 200 159 > "http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1"; > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/43.0.2357.124 Safari/537.36" > > 78.133.70.43 - - [12/Jun/2015:18:11:43 +0100] "POST /administrator/index.php > HTTP/1.1" 200 159 > "http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1"; > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/43.0.2357.124 Safari/537.36" > > 78.133.70.43 - - [12/Jun/2015:18:11:41 +0100] "POST /administrator/index.php > HTTP/1.1" 200 159 > "http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1"; > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/43.0.2357.124 Safari/537.36" > > > And active response kicks in and get blocked. > > I cannot whitelist since its not a static IP. > > I cannot disable this rule as it has several true bruteforce attempts a day. > > Is there any way I can whitelist this com_breezingforms string so it doesnt > fire. >
I can't do any testing at the moment, but something like: <rule id="999999" level="0"> <if_sid>31510</if_sid> <match>com_breezingforms</match> <description>ignore</description> </rule> might work. > Thanks. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
