Difference between revisions of "OSSEC Rule: 31151"

From Atomicorp Wiki
Jump to: navigation, search
Line 1: Line 1:
 
== Abstract: ==
 
== Abstract: ==
 
Rule 31151 tracks multiple HTTP error code 400's. These are generally indicative of detecting worm, or generic exploit attacks against the IP address of the server.
 
Rule 31151 tracks multiple HTTP error code 400's. These are generally indicative of detecting worm, or generic exploit attacks against the IP address of the server.
 +
  
 
Example Alert:
 
Example Alert:

Revision as of 11:45, 28 May 2007

Abstract:

Rule 31151 tracks multiple HTTP error code 400's. These are generally indicative of detecting worm, or generic exploit attacks against the IP address of the server.


Example Alert:

Received From: srv3->/etc/httpd/logs/access_log Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from same source ip." Portion of the log(s):

 10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 308 "-" "-"
 10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 308 "-" "-"
 10.10.10.10 - - [28/May/2007:03:06:47 -0600] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 292 "-" "-"


Recommended Actions:

This attack is being blocked, no further actions are necessary.

Personal tools