Hi Brian, Thank you for the clarification but I don't understand why someone would associate our website with dailymail.co.uk ?
GET / HTTP/2.0" 200 84 " https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html " I understand the part of the log: GET / HTTP/2.0" 200 I don't understand: 84 " https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html " Why 84 and why this dailymail URL ? many thanks Andrew On Monday, 16 November 2020 at 09:02:40 UTC Brian Candler wrote: > Rule 1002 is a general catch-all rule which matches generic "bad words" > like "failed" and "denied", as you can see here: > > > https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21 > > https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35 > > It's a false positive for you, since the word "failed" appears in the > Referer field of your HTTP logs. You can silence these by writing your own > more specific rule to catch them, e.g. > > https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74 > > On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote: > >> We keep receiving these notifications from OSSEC. Our site has nothing to >> do with dailymail. Is this worrying or is this a false alert? >> >> Received From: server->/var/log/nginx/access.log >> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> Portion of the log(s): >> >> 2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 +0000] >> "GET >> / HTTP/2.0" 200 84 >> " >> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; >> >> "Mozilla/5.0 >> (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, >> like >> Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041" >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/7a59f156-2823-4945-a828-6d9bc7f5c4e4n%40googlegroups.com.
