Hello!
In web_rules.xml, there is a rule to ignore error 4XX on pictures / css /
js to limit tje number of 4XX false positives. The rule is this one :
<rule id="31102" level="0">
<if_sid>31101</if_sid>
<url>.jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$|.js$|.jpeg$</url>
<compiled_rule>is_simple_http_request</compiled_rule>
<description>Ignored extensions on 400 error codes.</description>
</rule>
Issue here is that it consider the file extension has the last element in
the url. But I got website on my server that do add a version number behind
the url and for 404 errors a "/" at the end .... And so I got many false
positives ...
I would like to modify this rule to be more "flexible" (using the overwrite
system). I am first trying with the version number.
Example :
XXX.XXX.XXX.XXX - - [04/May/2018:14:14:18 +0200] "GET
/files/pictures/brands/logo/40/40-mini.cc3b.jpg?78 HTTP/1.1" 401 381
This one is not matched by rule 31102 because of the "?78". The url tag
only support OS_Match/sregex syntax and so I can not change the rule by
adding for example ".jpg?(\d)*". I thought to use "regex" instead but it
does not work either:
<group name="web,accesslog" >
<rule id="31102" level="0" overwrite="yes">
<if_sid>31101</if_sid>
<regex>.jpg?(\d)*</regex>
<compiled_rule>is_simple_http_request</compiled_rule>
<description>Ignored extensions on 400 error codes.</description>
</rule>
</group>
Of course, when it will work I will re-add the other file extensions. But
for the moment, it's not and I do not understand why :( What did I miss?
Thx in advance!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
