Hi,
try with rule 31108.
<!--
10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET
//path/path2/requeststringtest.php; HTTP/1.1" 200 Text...
-->
<rule id="100060" level="5">
<if_sid>31108</if_sid>
<match>requeststringtest.php</match>
<description>request string test 2</description>
</rule>
<rule id="100160" level="5" frequency="5" timeframe="90">
<if_matched_sid>100060</if_matched_sid>
<same_source_ip />
<description>MATCHED request string test 2</description>
</rule>
10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET
//path/path2/requeststringtest.php; HTTP/1.1" 200 Text...
**Phase 1: Completed pre-decoding.
full event: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500]
"GET //path/path2/requeststringtest.php; HTTP/1.1" 200 Text...'
hostname: 'LinMV'
program_name: '(null)'
log: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET
//path/path2/requeststringtest.php; HTTP/1.1" 200 Text...'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '10.10.10.10'
url: '//path/path2/requeststringtest.php;'
id: '200'
**Rule debugging:
Trying rule: 4 - Generic template for all web rules.
*Rule 4 matched.
*Trying child rules.
Trying rule: 31100 - Access log messages grouped.
*Rule 31100 matched.
*Trying child rules.
Trying rule: 31108 - Ignored URLs (simple queries).
*Rule 31108 matched.
*Trying child rules.
Trying rule: 31166 - Shellshock attack detected
Trying rule: 31103 - SQL injection attempt.
*Trying rule: 100060 - request string test 2 *Rule 100060 matched.
*Trying child rules. Trying rule: 100160 - MATCHED request string
test 2 *Rule 100160 matched.*
**Phase 3: Completed filtering (rules).
*Rule id: '100160'*
Level: '5'
Description: 'MATCHED request string test 2'
**Alert to be generated.
Regards.
Jesus Linares.
On Thursday, February 25, 2016 at 1:47:10 PM UTC+1, James Culver wrote:
>
> I have added the following rules to local_rules.conf:
> <rule id="100060" level="5">
> <if_sid>31100</if_sid>
> <match>requeststringtest.php</match>
> <description>request string test 2</description>
> <options>alert_by_email</options>
> </rule>
>
> <rule id="100160" level="7" frequency="5" timeframe="90">
> <if_matched_sid>100060</if_matched_sid>
> <same_source_ip />
> <description>request string test 2</description>
> <options>alert_by_email</options>
> </rule>
> but OSSEC doesn't care at all. It counts the rules as being enabled, but
> no matter how many times or how fast i go to http : //
> server.ip/whatever?X=requeststringtest.php (or any URL that includes the
> string), OSSEC completely ignores it. The out of the box rules work fine.
> If I port scan, ssh or HTTP brute-force, or pull too many 400 or 500
> errors, then the appropriate rules fire. But this rule doesn't do anything.
> What am I doing wrong?
>
> OSSEC 2.8.2
> CentOS 6
> Apache
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
