The GET / HTTP2.0 200 84 shows that someone on Sky Broadband in the UK (2a02:c7d IPv6 address) asked for the / alias on your web server which was returned to the user successfully (code 200) and was 84 bytes in length (probably means the user was JS redirected to a specific page on your site, which is common). Since you don't identify your site, there's no way to confirm the last bit with absolute certainty, but it's both in the ballpark for size and extremely common so I'm confident in that guess. Your webmaster should be able to confirm, though.
Since the daily mail site is the referrer, it means somewhere in that article, the ads or the comments on that page there is a reference to your site which someone clicked on. Since the referrer URL contained the generic alert term "fail" that's what set off OSSEC. So that's why it's in your logs. You can either live with it knowing it's nothing (if it's a low enough level of noise) or write a rule for the Daily Mail URL set to level 0 so it doesn't log anymore. There's little you can do about some commenter on a Daily Mail article linking to your site so you need to decide how much this matters to you. HTH, Scott On Mon, Nov 16, 2020, 07:27 Andrew S <[email protected]> wrote: > Hi Brian, > > Thank you for the clarification but I don't understand why someone would > associate our website with dailymail.co.uk ? > > GET > / HTTP/2.0" 200 84 > " > https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html > " > > I understand the part of the log: GET / HTTP/2.0" 200 > > I don't understand: > > 84 > " > https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html > " > > Why 84 and why this dailymail URL ? > > many thanks > Andrew > > On Monday, 16 November 2020 at 09:02:40 UTC Brian Candler wrote: > >> Rule 1002 is a general catch-all rule which matches generic "bad words" >> like "failed" and "denied", as you can see here: >> >> >> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21 >> >> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35 >> >> It's a false positive for you, since the word "failed" appears in the >> Referer field of your HTTP logs. You can silence these by writing your own >> more specific rule to catch them, e.g. >> >> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74 >> >> On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote: >> >>> We keep receiving these notifications from OSSEC. Our site has nothing >>> to do with dailymail. Is this worrying or is this a false alert? >>> >>> Received From: server->/var/log/nginx/access.log >>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >>> Portion of the log(s): >>> >>> 2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 +0000] >>> "GET >>> / HTTP/2.0" 200 84 >>> " >>> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; >>> "Mozilla/5.0 >>> (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 >>> (KHTML, like >>> Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041" >>> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/7a59f156-2823-4945-a828-6d9bc7f5c4e4n%40googlegroups.com > <https://groups.google.com/d/msgid/ossec-list/7a59f156-2823-4945-a828-6d9bc7f5c4e4n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CACUKT_od1kuCdWhRKz6BfT-Eh%2BycxH%2BLDo6BGayCNPOUsN%3Di1w%40mail.gmail.com.
