Hello
Using the following rule:
<group name="web,accesslog" >
<rule id="31102" level="0" overwrite="yes">
<if_sid>31101</if_sid>
<regex>.jpg?\d+</regex>
<!--<compiled_rule>is_simple_http_request</compiled_rule>-->
<description>Ignored extensions on 400 error codes.</description>
</rule>
</group>
it works for me, so I think that you need to review the compiled rule if
you want to still use it.
Hope it help
Best regards,
Alberto R.
On Saturday, May 5, 2018 at 12:20:43 PM UTC+2, [email protected] wrote:
>
> Yes and it did not match.
>
> What I do not understand as the ossec-regex tool show "matched" if I am
> not wrong :
>
> # /var/ossec/bin/ossec-regex '.jpg?\d+'
> XXX.XXX.XXX.XXX - - [04/May/2018:14:14:18 +0200] "GET
> /files/pictures/brands/logo/40/40-mini.cc3b.jpg?78 HTTP/1.1" 401 381
> +OSRegex_Execute: XXX.XXX.XXX.XXX - - [04/May/2018:14:14:18 +0200] "GET
> /files/pictures/brands/logo/40/40-mini.cc3b.jpg?78 HTTP/1.1" 401 381
> +OS_Regex : XXX.XXX.XXX.XXX - - [04/May/2018:14:14:18 +0200] "GET
> /files/pictures/brands/logo/40/40-mini.cc3b.jpg?78 HTTP/1.1" 401 381
>
> Thx!
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
