Greetings,
As a new OSSEC user. I have found some of the alerts difficult to make
sense of. Is there any documentation (or decoder ring :-)) that helps with
this?
Trying to make sense of some of the different sections in the below alert:
OSSEC HIDS Notification.
2016 Mar 08 21:00:02
Received From: .log
Rule: 100032 fired (level 13) -> "Shellshock Exploit Attempt"
Portion of the log(s):
Mar 8 21:00:01 ??? WAF src= spt=13006 dst=??? dpt=443 actionTaken=CLOAK
attackDescription=UNRECOGNIZED_COOKIE attackDetails=[Cookie\="echo"
Service-created\="211 days back" Reason\="No valid encrypted pair"]
attackGroup=ATTACK_CATEGORY_SESSION_TAMPER attackId=29030 logType=WF
app=HTTPS request=.net/ requestMethod=GET rt=1457492380066
userAgent="User-Agent: () { :;}; echo; echo "QPZVGMTHKAYNGZV" " referer=()
{ :;}; echo; echo "QPZVGMTHKAYNGZV"
If someone could help me break this alert down (i.e. each section/label)
that would be much appreciated.
J~
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
