Thank you, this is helpful. Now it works with and without GET parameters. However, it only works if Apache records a hostname and not just "-" in the hostname position. And Apache doesn't always do that (in fact, in our logs, it never does it).
On Thursday, February 25, 2016 at 9:42:17 AM UTC-7, Jesus Linares wrote: > > Keep in mind that rule 31108 is for http codes 2xx and 3xx. If you want to > log that request with 4xx or 5xx codes you should add these rules (31101, > 31120...). > > It's working, but I'm thinking on a better way to do this. > > Regards. > Jesus Linares. > > > On Thursday, February 25, 2016 at 5:36:34 PM UTC+1, Jesus Linares wrote: >> >> That is because with GET parameters is not a simple query (rule 31108): >> >> **Phase 1: Completed pre-decoding. >> full event: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] >> "GET /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" >> 200 Text...' >> hostname: 'LinMV' >> program_name: '(null)' >> log: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET >> /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200 >> Text...' >> >> >> **Phase 2: Completed decoding. >> decoder: 'web-accesslog' >> srcip: '10.10.10.10' >> url: '/icons/whatever/?C=http://5.6.7.8/requeststringtest.php;' >> id: '200' >> >> >> **Rule debugging: >> Trying rule: 4 - Generic template for all web rules. >> *Rule 4 matched. >> *Trying child rules. >> Trying rule: 31100 - Access log messages grouped. >> *Rule 31100 matched. >> *Trying child rules. >> >> *Trying rule: 31108 - Ignored URLs (simple queries). Trying rule: >> 31511 - Blacklisted user agent (wget).* >> >> >> This is working: >> >> <!-- >> 10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET >> //path/path2/requeststringtest.php; HTTP/1.1" 200 Text... >> 10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET >> /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200 >> Text... >> --> >> <rule id="100060" level="5"> >> *<if_sid>31100,31108</if_sid>* >> <match>requeststringtest.php</match> >> <description>request string test 2</description> >> </rule> >> >> >> Regards. >> Jesus Linares. >> >> >> On Thursday, February 25, 2016 at 5:11:48 PM UTC+1, James Culver wrote: >>> >>> Thanks. I have tested your version of the rule, and it works *so long >>> as* there aren't GET parameters in the requested URI. >>> >>> For example, the following request triggers an alert: >>> 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET >>> /icons/whatever/requeststringtest.php HTTP/1.1" 20068393 blahblahblah >>> >>> However, this request is ignored: >>> 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET /icons/whatever/?C= >>> http://5.6.7.8/requeststringtest.php HTTP/1.1" 20068393 blahblahblah >>> >>> Any ideas why that is? >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
