Okay after discovering ossec_logtest -v I see it is actually matching on rule id 31103 which doesn't make sense to me.
Can anyone help me understand why it matches there? It seems to be the single quotes that are matching.
*Rule debugging:
Trying rule: 4 - Generic template for all web rules.
Rule 4 matched.
Trying child rules.
Trying rule: 31100 - Access log messages grouped.
Rule 31100 matched.
Trying child rules.
Trying rule: 31108 - Ignored URLs (simple queries).
Trying rule: 31115 - URL too long. Higher than allowed on most browsers. Possible attack.
Trying rule: 31103 - SQL injection attempt.
Rule 31103 matched.
Trying child rules.
Trying rule: 31107 - Ignored URLs for the web attacks
Trying rule: 31152 - Multiple SQL injection attempts from same souce ip.
Trying rule: 31106 - A web attack returned code 200 (success).
Rule 31106 matched.
_Phase 3: Completed filtering (rules).
Rule id: '31106'
Level: '6'
Description: 'A web attack returned code 200 (success).'
_Alert to be generated.
Note: This issue has been automatically migrated from Bitbucket
Created by zeeawk on 2013-05-06 18:34:50+00:00, last updated: 2013-05-06 20:51:10+00:00
I posted this to the ossec list but I'm not sure if it ever got reported as an issue.
\ Alert 1366058409.55306106: - web,accesslog,attack, 2013 Apr 15 13:40:09 syslog->/logs/httpd/access.log Rule: 31106 (level 6) -> 'A web attack returned code 200 (success).'
"GET /foo/foo_blog/?feed=rss2&cat='31' HTTP/1.1" 200 1812 "-" "-"
Okay after discovering ossec_logtest -v I see it is actually matching on rule id 31103 which doesn't make sense to me. Can anyone help me understand why it matches there? It seems to be the single quotes that are matching.
**Phase 1: Completed pre-decoding. full event: '1.1.1.1 www.foo.com - [15/Apr/2013:13:40:07 -0700] "GET /foo/foo_blog/?feed=rss2&cat='31' HTTP/1.1" 200 1812 "-" "-"' hostname: 'syslog' program_name: '(null)' log: '1.1.1.1 www.foo.com - [15/Apr/2013:13:40:07 -0700] "GET /foo/foo_blog/?feed=rss2&cat='31' HTTP/1.1" 200 1812 "-" "-"'
**Phase 2: Completed decoding. decoder: 'web-accesslog' srcip: '1.1.1.1' url: '/foo/foo_blog/?feed=rss2&cat='31'' id: '200'
*Rule debugging: Trying rule: 4 - Generic template for all web rules. Rule 4 matched. Trying child rules. Trying rule: 31100 - Access log messages grouped. Rule 31100 matched. Trying child rules. Trying rule: 31108 - Ignored URLs (simple queries). Trying rule: 31115 - URL too long. Higher than allowed on most browsers. Possible attack. Trying rule: 31103 - SQL injection attempt. Rule 31103 matched. Trying child rules. Trying rule: 31107 - Ignored URLs for the web attacks Trying rule: 31152 - Multiple SQL injection attempts from same souce ip. Trying rule: 31106 - A web attack returned code 200 (success). Rule 31106 matched.
_Phase 3: Completed filtering (rules). Rule id: '31106' Level: '6' Description: 'A web attack returned code 200 (success).' _Alert to be generated.
Note: This issue has been automatically migrated from Bitbucket Created by zeeawk on 2013-05-06 18:34:50+00:00, last updated: 2013-05-06 20:51:10+00:00