search

jrossi / issue-migration-test

GNU General Public License v2.0
1 stars 0 forks source link

Improper match on rule id 31103 #39

Closed jrossi closed 10 years ago

jrossi commented 10 years ago

I posted this to the ossec list but I'm not sure if it ever got reported as an issue.

\ Alert 1366058409.55306106: - web,accesslog,attack, 2013 Apr 15 13:40:09 syslog->/logs/httpd/access.log Rule: 31106 (level 6) -> 'A web attack returned code 200 (success).'

"GET /foo/foo_blog/?feed=rss2&cat='31' HTTP/1.1" 200 1812 "-" "-"

Okay after discovering ossec_logtest -v I see it is actually matching on rule id 31103 which doesn't make sense to me. Can anyone help me understand why it matches there? It seems to be the single quotes that are matching.

**Phase 1: Completed pre-decoding. full event: '1.1.1.1 www.foo.com - [15/Apr/2013:13:40:07 -0700] "GET /foo/foo_blog/?feed=rss2&cat='31' HTTP/1.1" 200 1812 "-" "-"' hostname: 'syslog' program_name: '(null)' log: '1.1.1.1 www.foo.com - [15/Apr/2013:13:40:07 -0700] "GET /foo/foo_blog/?feed=rss2&cat='31' HTTP/1.1" 200 1812 "-" "-"'

**Phase 2: Completed decoding. decoder: 'web-accesslog' srcip: '1.1.1.1' url: '/foo/foo_blog/?feed=rss2&cat='31'' id: '200'

*Rule debugging: Trying rule: 4 - Generic template for all web rules. Rule 4 matched. Trying child rules. Trying rule: 31100 - Access log messages grouped. Rule 31100 matched. Trying child rules. Trying rule: 31108 - Ignored URLs (simple queries). Trying rule: 31115 - URL too long. Higher than allowed on most browsers. Possible attack. Trying rule: 31103 - SQL injection attempt. Rule 31103 matched. Trying child rules. Trying rule: 31107 - Ignored URLs for the web attacks Trying rule: 31152 - Multiple SQL injection attempts from same souce ip. Trying rule: 31106 - A web attack returned code 200 (success). Rule 31106 matched.

_Phase 3: Completed filtering (rules). Rule id: '31106' Level: '6' Description: 'A web attack returned code 200 (success).' _Alert to be generated.

Note: This issue has been automatically migrated from Bitbucket Created by zeeawk on 2013-05-06 18:34:50+00:00, last updated: 2013-05-06 20:51:10+00:00

jrossi commented 10 years ago

wasn't it fixed by f5659d5?

Note: This comment has been automatically migrated from Bitbucket Created by cgzones on 2013-05-06 19:35:18+00:00

jrossi commented 10 years ago

wow I totally missed that. Thanks for pointing it out.

Note: This comment has been automatically migrated from Bitbucket Created by zeeawk on 2013-05-06 20:50:52+00:00

jrossi commented 10 years ago

looks like this was fixed.

Note: This comment has been automatically migrated from Bitbucket Created by zeeawk on 2013-05-06 20:51:10+00:00