Difference between revisions of "OSSEC Rule: 31151"

From Atomicorp Wiki
Jump to: navigation, search
(New page: == Abstract: == Rule 31151 tracks multiple HTTP error code 400's. These are generally indicative of detecting worm, or generic exploit attacks against the IP address of the server. Examp...)
 
Line 1: Line 1:
 
 
== Abstract: ==
 
== Abstract: ==
 
Rule 31151 tracks multiple HTTP error code 400's. These are generally indicative of detecting worm, or generic exploit attacks against the IP address of the server.
 
Rule 31151 tracks multiple HTTP error code 400's. These are generally indicative of detecting worm, or generic exploit attacks against the IP address of the server.
Line 10: Line 9:
  
 
   10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 308 "-" "-"
 
   10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 308 "-" "-"
   10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET
+
   10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 308 "-" "-"
/a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 308 "-" "-"
+
   10.10.10.1 - - [28/May/2007:03:06:47 -0600] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 292 "-" "-"
   10.10.10.1 - - [28/May/2007:03:06:47 -0600] "GET /phpadsnew/adxmlrpc.php
+
HTTP/1.0" 404 292 "-" "-"
+
  
  
 
== Recommended Actions: ==
 
== Recommended Actions: ==
 
This attack is being blocked, no further actions are necessary.
 
This attack is being blocked, no further actions are necessary.

Revision as of 11:45, 28 May 2007

Abstract:

Rule 31151 tracks multiple HTTP error code 400's. These are generally indicative of detecting worm, or generic exploit attacks against the IP address of the server.

Example Alert:

Received From: srv3->/etc/httpd/logs/access_log Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from same source ip." Portion of the log(s):

 10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 308 "-" "-"
 10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 308 "-" "-"
 10.10.10.1 - - [28/May/2007:03:06:47 -0600] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 292 "-" "-"


Recommended Actions:

This attack is being blocked, no further actions are necessary.

Personal tools