Indeed the problem is the compiled rule : /* Example 4: Checking if a HTTP request is a simple GET/POST without a query * This avoid that we call the attack rules for no reason. */ void *is_simple_http_request(Eventinfo *lf){ if (!lf->url) { return (NULL); } /* Simple GET / request */ if (strcmp(lf->url, "/") == 0) { return (lf); } /* Simple request, no query */ if (!strchr(lf->url, '?')) { return (lf); } /* In here, we have an additional query to be checked */ return (NULL); }
I will remove it. Thx! On Friday, May 4, 2018 at 9:34:53 PM UTC+2, veni...@gmail.com wrote: > > Hello! > > In web_rules.xml, there is a rule to ignore error 4XX on pictures / css / > js to limit tje number of 4XX false positives. The rule is this one : > > <rule id="31102" level="0"> > <if_sid>31101</if_sid> > <url>.jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$|.js$|.jpeg$</url> > <compiled_rule>is_simple_http_request</compiled_rule> > <description>Ignored extensions on 400 error codes.</description> > </rule> > > > Issue here is that it consider the file extension has the last element in > the url. But I got website on my server that do add a version number behind > the url and for 404 errors a "/" at the end .... And so I got many false > positives ... > > I would like to modify this rule to be more "flexible" (using the > overwrite system). I am first trying with the version number. > > Example : > XXX.XXX.XXX.XXX - - [04/May/2018:14:14:18 +0200] "GET > /files/pictures/brands/logo/40/40-mini.cc3b.jpg?78 HTTP/1.1" 401 381 > > This one is not matched by rule 31102 because of the "?78". The url tag > only support OS_Match/sregex syntax and so I can not change the rule by > adding for example ".jpg?(\d)*". I thought to use "regex" instead but it > does not work either: > > <group name="web,accesslog" > > <rule id="31102" level="0" overwrite="yes"> > <if_sid>31101</if_sid> > <regex>.jpg?(\d)*</regex> > <compiled_rule>is_simple_http_request</compiled_rule> > <description>Ignored extensions on 400 error codes.</description> > </rule> > </group> > > Of course, when it will work I will re-add the other file extensions. But > for the moment, it's not and I do not understand why :( What did I miss? > > > Thx in advance! > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.