No worries. You added some great information. On Mon, Nov 16, 2020 at 12:48 PM Scott Wozny <[email protected]> wrote: > > ACK! Sorry! Didn't see you'd already replied, Dan... > > What he said. :) > > Scott > > > On Mon, Nov 16, 2020, 10:10 dan (ddp) <[email protected]> wrote: >> >> On Mon, Nov 16, 2020 at 7:27 AM Andrew S <[email protected]> wrote: >> > >> > Hi Brian, >> > >> > Thank you for the clarification but I don't understand why someone would >> > associate our website with dailymail.co.uk ? >> > >> >> I haven't verified, but Brian mentioned dailymail being in the >> referrer field. So there was (possibly) a link somewhere on the page >> in the log message pointing at your site. >> >> > GET >> > / HTTP/2.0" 200 84 >> > >> > "https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; >> > >> > I understand the part of the log: GET / HTTP/2.0" 200 >> > >> > I don't understand: >> > >> > 84 >> > >> > "https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; >> > >> > Why 84 and why this dailymail URL ? >> > >> > many thanks >> > Andrew >> > >> > On Monday, 16 November 2020 at 09:02:40 UTC Brian Candler wrote: >> >> >> >> Rule 1002 is a general catch-all rule which matches generic "bad words" >> >> like "failed" and "denied", as you can see here: >> >> >> >> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21 >> >> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35 >> >> >> >> It's a false positive for you, since the word "failed" appears in the >> >> Referer field of your HTTP logs. You can silence these by writing your >> >> own more specific rule to catch them, e.g. >> >> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74 >> >> >> >> On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote: >> >>> >> >>> We keep receiving these notifications from OSSEC. Our site has nothing >> >>> to do with dailymail. Is this worrying or is this a false alert? >> >>> >> >>> Received From: server->/var/log/nginx/access.log >> >>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> >>> Portion of the log(s): >> >>> >> >>> 2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 +0000] >> >>> "GET >> >>> / HTTP/2.0" 200 84 >> >>> >> >>> "https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; >> >>> "Mozilla/5.0 >> >>> (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 >> >>> (KHTML, like >> >>> Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041" >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected]. >> > To view this discussion on the web visit >> > https://groups.google.com/d/msgid/ossec-list/7a59f156-2823-4945-a828-6d9bc7f5c4e4n%40googlegroups.com. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/CAMyQvMo1cPejq_rEgoX-dpgA_%2BOdOc%3Dh8tvPon%2B6GAx%3DLNTuvw%40mail.gmail.com. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CACUKT_r_Jx2mPxXgNbfq7E%2ByAev_%3D5N4qiaa7Z_EKV98sTETDg%40mail.gmail.com.
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMqrUSqwcFHbOaHXV__mn9UKa5YYZ%3D%2BQM%3DMV7UPKMY7T%2Bw%40mail.gmail.com.
