Hi all, and thanks for reading. I am new to ossec, however, I've got my system up and running without any problems. Now I have to finetune it for my network, and here is where my troubles start.
I am getting alerts that I need to ignore. Most local rules work fine, but one alert is giving me a headache. rule.sid 31533 192.168.70.36 - - [29/Jul/2016:08:53:36 +0200] "POST /zabbix/zabbix.php?ac tion=widget.system.view&sid=c55a80ec836cf855&upd_counter=26&pmasterid=dashboard HTTP/1.1" 200 9811 "http://zabbix.electromach.nl/zabbix/zabbix.php?action=dashboard.view"; "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0) Gecko/20100101 Firefox/47.0" This results in the following: **Phase 1: Completed pre-decoding. full event: '192.168.70.36 - - [29/Jul/2016:08:53:36 +0200] "POST /zabbix/zabbix.php?action=widget.system.view&sid=c55a80ec836cf855&upd_counter=26&pmasterid=dashboard HTTP/1.1" 200 9811 "http://zabbix.electromach.nl/zabbix/zabbix.php?action=dashboard.view"; "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0) Gecko/20100101 Firefox/47.0"' hostname: 'wazuh' program_name: '(null)' log: '192.168.70.36 - - [29/Jul/2016:08:53:36 +0200] "POST /zabbix/zabbix.php?action=widget.system.view&sid=c55a80ec836cf855&upd_counter=26&pmasterid=dashboard HTTP/1.1" 200 9811 "http://zabbix.electromach.nl/zabbix/zabbix.php?action=dashboard.view"; "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0) Gecko/20100101 Firefox/47.0"' **Phase 2: Completed decoding. decoder: 'web-accesslog' srcip: '192.168.70.36' url: '/zabbix/zabbix.php?action=widget.system.view&sid=c55a80ec836cf855&upd_counter=26&pmasterid=dashboard' id: '200' **Phase 3: Completed filtering (rules). Rule id: '31530' Level: '3' Description: 'POST request received.' sid 31530 leads up to 31533 in the second stage via <if_matched_sid> <rule id="31533" level="10" timeframe="20" frequency="6"> <if_matched_sid>31530</if_matched_sid> <same_source_ip /> <description>High amount of POST requests in a small period of time (likely bot).</description> <group>pci_dss_6.5,pci_dss_11.4,</group> </rule> I've created the following local rule (among many, been trying things for hours): <rule id="100034" level="0"> <if_sid>31533</if_sid> <match>POST /zabbix/zabbix.php</match> <decoded_as>web-accesslog</decoded_as> <url>http://zabbix.electromach.nl/zabbix/zabbix.php?action=dashboard.view</url> <description>Ignore all zabbix view requests</description> </rule> </group> Whatever I do, it always ends up on level 3. Ofcourse I restart ossec after editing my rules. Can someone help me out with this? Thanks in advance. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
