Thanks, I will try and post results. On Thursday, June 18, 2015 at 4:25:47 PM UTC+2, Naithan Weigh wrote: > > Hi > > I'm running into an issue where the active-response is seeing a bruteforce > attempt when this is not the case. > > When using a certain joomla plugin the logs pick up the following > > > Received From: (SRV) SERVER->/mnt/data/vhosts/WEBSITE.info/logs/access_log > > Rule: 31510 fired (level 8) -> "CMS (WordPress or Joomla) brute force > attempt." > > Portion of the log(s): > > > 78.133.70.43 - - [12/Jun/2015:18:11:50 +0100] "POST > /administrator/index.php HTTP/1.1" 200 159 " > http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 > > <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" > > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/43.0.2357.124 Safari/537.36" > > 78.133.70.43 - - [12/Jun/2015:18:11:49 +0100] "POST > /administrator/index.php HTTP/1.1" 200 159 " > http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 > > <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" > > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/43.0.2357.124 Safari/537.36" > > 78.133.70.43 - - [12/Jun/2015:18:11:48 +0100] "POST > /administrator/index.php HTTP/1.1" 200 159 " > http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 > > <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" > > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/43.0.2357.124 Safari/537.36" > > 78.133.70.43 - - [12/Jun/2015:18:11:47 +0100] "POST > /administrator/index.php HTTP/1.1" 200 159 " > http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 > > <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" > > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/43.0.2357.124 Safari/537.36" > > 78.133.70.43 - - [12/Jun/2015:18:11:45 +0100] "POST > /administrator/index.php HTTP/1.1" 200 159 " > http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 > > <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" > > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/43.0.2357.124 Safari/537.36" > > 78.133.70.43 - - [12/Jun/2015:18:11:44 +0100] "POST > /administrator/index.php HTTP/1.1" 200 159 " > http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 > > <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" > > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/43.0.2357.124 Safari/537.36" > > 78.133.70.43 - - [12/Jun/2015:18:11:43 +0100] "POST > /administrator/index.php HTTP/1.1" 200 159 " > http://WEBSITE.info/administrator/index.php?option=com_breezingf > <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1> > ...
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
