Ah, I see! Thanks for clearing that out :) /f On Tuesday, March 1, 2016 at 12:15:49 PM UTC+1, Jesus Linares wrote: > > Hi Fredrik, > > The expression *<if_sid>31100,31108</if_sid>* is an *OR *expression. If > 31100 or 31108 have matched, then the rule matches. > > Regards. > Jesus Linares. > > On Monday, February 29, 2016 at 9:42:20 AM UTC+1, Fredrik wrote: >> >> Hi Jesus, >> >> >> Sorry to break into the conversation like this - interesting post James! >> I was just curious as to how I should interpret your example with two >> entries in the <if_sid> statement? Is this to tell OSSEC if both 31100, >> 31108 then match the user defined rule? >> >> Thanks, >> Fredrik >> >> On Thursday, February 25, 2016 at 5:36:34 PM UTC+1, Jesus Linares wrote: >>> >>> That is because with GET parameters is not a simple query (rule 31108): >>> >>> **Phase 1: Completed pre-decoding. >>> full event: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] >>> "GET /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" >>> 200 Text...' >>> hostname: 'LinMV' >>> program_name: '(null)' >>> log: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET >>> /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200 >>> Text...' >>> >>> >>> **Phase 2: Completed decoding. >>> decoder: 'web-accesslog' >>> srcip: '10.10.10.10' >>> url: '/icons/whatever/?C=http://5.6.7.8/requeststringtest.php;' >>> id: '200' >>> >>> >>> **Rule debugging: >>> Trying rule: 4 - Generic template for all web rules. >>> *Rule 4 matched. >>> *Trying child rules. >>> Trying rule: 31100 - Access log messages grouped. >>> *Rule 31100 matched. >>> *Trying child rules. >>> >>> *Trying rule: 31108 - Ignored URLs (simple queries). Trying rule: >>> 31511 - Blacklisted user agent (wget).* >>> >>> >>> This is working: >>> >>> <!-- >>> 10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET >>> //path/path2/requeststringtest.php; HTTP/1.1" 200 Text... >>> 10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET >>> /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200 >>> Text... >>> --> >>> <rule id="100060" level="5"> >>> *<if_sid>31100,31108</if_sid>* >>> <match>requeststringtest.php</match> >>> <description>request string test 2</description> >>> </rule> >>> >>> >>> Regards. >>> Jesus Linares. >>> >>> >>> On Thursday, February 25, 2016 at 5:11:48 PM UTC+1, James Culver wrote: >>>> >>>> Thanks. I have tested your version of the rule, and it works *so long >>>> as* there aren't GET parameters in the requested URI. >>>> >>>> For example, the following request triggers an alert: >>>> 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET >>>> /icons/whatever/requeststringtest.php HTTP/1.1" 20068393 blahblahblah >>>> >>>> However, this request is ignored: >>>> 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET /icons/whatever/?C= >>>> http://5.6.7.8/requeststringtest.php HTTP/1.1" 20068393 blahblahblah >>>> >>>> Any ideas why that is? >>>> >>>
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
