Hi Jesus,
Sorry to break into the conversation like this - interesting post James! I was just curious as to how I should interpret your example with two entries in the <if_sid> statement? Is this to tell OSSEC if both 31100, 31108 then match the user defined rule? Thanks, Fredrik On Thursday, February 25, 2016 at 5:36:34 PM UTC+1, Jesus Linares wrote: > > That is because with GET parameters is not a simple query (rule 31108): > > **Phase 1: Completed pre-decoding. > full event: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] > "GET /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" > 200 Text...' > hostname: 'LinMV' > program_name: '(null)' > log: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET > /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200 > Text...' > > > **Phase 2: Completed decoding. > decoder: 'web-accesslog' > srcip: '10.10.10.10' > url: '/icons/whatever/?C=http://5.6.7.8/requeststringtest.php;' > id: '200' > > > **Rule debugging: > Trying rule: 4 - Generic template for all web rules. > *Rule 4 matched. > *Trying child rules. > Trying rule: 31100 - Access log messages grouped. > *Rule 31100 matched. > *Trying child rules. > > *Trying rule: 31108 - Ignored URLs (simple queries). Trying rule: 31511 > - Blacklisted user agent (wget).* > > > This is working: > > <!-- > 10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET > //path/path2/requeststringtest.php; HTTP/1.1" 200 Text... > 10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET > /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200 > Text... > --> > <rule id="100060" level="5"> > *<if_sid>31100,31108</if_sid>* > <match>requeststringtest.php</match> > <description>request string test 2</description> > </rule> > > > Regards. > Jesus Linares. > > > On Thursday, February 25, 2016 at 5:11:48 PM UTC+1, James Culver wrote: >> >> Thanks. I have tested your version of the rule, and it works *so long as* >> there aren't GET parameters in the requested URI. >> >> For example, the following request triggers an alert: >> 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET >> /icons/whatever/requeststringtest.php HTTP/1.1" 20068393 blahblahblah >> >> However, this request is ignored: >> 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET /icons/whatever/?C= >> http://5.6.7.8/requeststringtest.php HTTP/1.1" 20068393 blahblahblah >> >> Any ideas why that is? >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
