ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.48k stars 1.04k forks source link

Ignored URLs for the web attacks #1078

Open jcesarstef opened 7 years ago

jcesarstef commented 7 years ago

https://github.com/ossec/ossec-hids/blob/ef46a72250c84c068751a0161d8b5fb009fb7699/etc/rules/web_rules.xml#L99-L103

I dont understand why this would be ignored.

Example of real world use: https://packetstormsecurity.com/files/141082/joomlamusiccollection303-sql.txt

nbuuck commented 7 years ago

I'm inclined to agree as the rule linked by @jcesarstef is already subsequent to 31103, 31104 and 31105, the three of which are definitive indicators of injection probing. The rule was introduced in https://github.com/ossec/ossec-hids/commit/26cdaa68ba6c79e3e8a4e2f176e49bb6d6f692ae#diff-84cf3f9c656436eec9fb9bdb11993cb9 by @dcid over a decade ago. That change was largely focused on decoder work. The description on the rule doesn't provide sufficient context to understand why this may have been necessary beyond the obvious and stated goal. I imagine that we'll need to test the removal of 31107 against Joomla and ideally other CMS products that might have the same path(s) for search.