Indeed the problem is the compiled rule :
/* Example 4: Checking if a HTTP request is a simple GET/POST without a
query * This avoid that we call the attack rules for no reason. */
void *is_simple_http_request(Eventinfo *lf){
if (!lf->url) { return (NULL); }
/* Simple GET / request */
if (strcmp(lf->url, "/") == 0) {
return (lf);
}
/* Simple request, no query */
if (!strchr(lf->url, '?')) {
return (lf);
}
/* In here, we have an additional query to be checked */
return (NULL);
}
I will remove it. Thx!
On Friday, May 4, 2018 at 9:34:53 PM UTC+2, [email protected] wrote:
>
> Hello!
>
> In web_rules.xml, there is a rule to ignore error 4XX on pictures / css /
> js to limit tje number of 4XX false positives. The rule is this one :
>
> <rule id="31102" level="0">
> <if_sid>31101</if_sid>
> <url>.jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$|.js$|.jpeg$</url>
> <compiled_rule>is_simple_http_request</compiled_rule>
> <description>Ignored extensions on 400 error codes.</description>
> </rule>
>
>
> Issue here is that it consider the file extension has the last element in
> the url. But I got website on my server that do add a version number behind
> the url and for 404 errors a "/" at the end .... And so I got many false
> positives ...
>
> I would like to modify this rule to be more "flexible" (using the
> overwrite system). I am first trying with the version number.
>
> Example :
> XXX.XXX.XXX.XXX - - [04/May/2018:14:14:18 +0200] "GET
> /files/pictures/brands/logo/40/40-mini.cc3b.jpg?78 HTTP/1.1" 401 381
>
> This one is not matched by rule 31102 because of the "?78". The url tag
> only support OS_Match/sregex syntax and so I can not change the rule by
> adding for example ".jpg?(\d)*". I thought to use "regex" instead but it
> does not work either:
>
> <group name="web,accesslog" >
> <rule id="31102" level="0" overwrite="yes">
> <if_sid>31101</if_sid>
> <regex>.jpg?(\d)*</regex>
> <compiled_rule>is_simple_http_request</compiled_rule>
> <description>Ignored extensions on 400 error codes.</description>
> </rule>
> </group>
>
> Of course, when it will work I will re-add the other file extensions. But
> for the moment, it's not and I do not understand why :( What did I miss?
>
>
> Thx in advance!
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
