On Mar 10, 2016 5:32 AM, "Johnny InfoSec" <[email protected]> wrote:
>
> Greetings,
>
> As a new OSSEC user. I have found some of the alerts difficult to make
sense of. Is there any documentation (or decoder ring :-)) that helps with
this?
>
> Trying to make sense of some of the different sections in the below alert:
>
> OSSEC HIDS Notification.
>
This is the subject.
> 2016 Mar 08 21:00:02
>
>
Timestamp
>
> Received From: .log
>
Where the log triggering the alert originated.
> Rule: 100032 fired (level 13) -> "Shellshock Exploit Attempt"
>
The rule ID, level, and description.
> Portion of the log(s):
>
>
>
> Mar 8 21:00:01 ??? WAF src= spt=13006 dst=??? dpt=443 actionTaken=CLOAK
attackDescription=UNRECOGNIZED_COOKIE attackDetails=[Cookie\="echo"
Service-created\="211 days back" Reason\="No valid encrypted pair"]
attackGroup=ATTACK_CATEGORY_SESSION_TAMPER attackId=29030 logType=WF
app=HTTPS request=.net/ requestMethod=GET rt=1457492380066
userAgent="User-Agent: () { :;}; echo; echo "QPZVGMTHKAYNGZV" " referer=()
{ :;}; echo; echo "QPZVGMTHKAYNGZV"
>
The log that triggered the alert.
>
> If someone could help me break this alert down (i.e. each section/label)
that would be much appreciated.
>
>
> J~
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
