Difference between revisions of "OSSEC Rule: 31151"
From Atomicorp Wiki
| (One intermediate revision by one user not shown) | |||
| Line 10: | Line 10: | ||
10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 308 "-" "-" | 10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 308 "-" "-" | ||
| − | 10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET | + | 10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 308 "-" "-" |
10.10.10.10 - - [28/May/2007:03:06:47 -0600] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 292 "-" "-" | 10.10.10.10 - - [28/May/2007:03:06:47 -0600] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 292 "-" "-" | ||
| − | 10.10.10.10 - - [28/May/2007:03:06:46 -0600] "GET /phpAdsNew/adxmlrpc.php | + | 10.10.10.10 - - [28/May/2007:03:06:46 -0600] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 292 "-" "-" |
| − | HTTP/1.0" 404 292 "-" "-" | + | 10.10.10.10 - - [28/May/2007:03:06:45 -0600] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 291 "-" "-" |
| − | 10.10.10.10 - - [28/May/2007:03:06:45 -0600] "GET /adserver/adxmlrpc.php | + | 10.10.10.10 - - [28/May/2007:03:06:46 -0600] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 292 "-" "-" |
| − | HTTP/1.0" 404 291 "-" "-" | + | 10.10.10.10 - - [28/May/2007:03:06:45 -0600] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 291 "-" "-" |
| − | 10.10.10.10 - - [28/May/2007:03:06:46 -0600] "GET /phpAdsNew/adxmlrpc.php | + | 10.10.10.10 - - [28/May/2007:03:06:44 -0600] "GET /adxmlrpc.php HTTP/1.0" 404 282 "-" "-" |
| − | HTTP/1.0" 404 292 "-" "-" | + | |
| − | 10.10.10.10 - - [28/May/2007:03:06:45 -0600] "GET /adserver/adxmlrpc.php | + | |
| − | HTTP/1.0" 404 291 "-" "-" | + | |
| − | 10.10.10.10 - - [28/May/2007:03:06:44 -0600] "GET /adxmlrpc.php HTTP/1.0" | + | |
| − | 404 282 "-" "-" | + | |
| − | + | ||
== Recommended Actions: == | == Recommended Actions: == | ||
This attack is being blocked, no further actions are necessary. | This attack is being blocked, no further actions are necessary. | ||
Latest revision as of 11:48, 28 May 2007
[edit] Abstract:
Rule 31151 tracks multiple HTTP error code 400's. These are generally indicative of detecting worm, or generic exploit attacks against the IP address of the server.
Example Alert:
Received From: srv3->/etc/httpd/logs/access_log Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from same source ip." Portion of the log(s):
10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 308 "-" "-" 10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 308 "-" "-" 10.10.10.10 - - [28/May/2007:03:06:47 -0600] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 292 "-" "-" 10.10.10.10 - - [28/May/2007:03:06:46 -0600] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 292 "-" "-" 10.10.10.10 - - [28/May/2007:03:06:45 -0600] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 291 "-" "-" 10.10.10.10 - - [28/May/2007:03:06:46 -0600] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 292 "-" "-" 10.10.10.10 - - [28/May/2007:03:06:45 -0600] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 291 "-" "-" 10.10.10.10 - - [28/May/2007:03:06:44 -0600] "GET /adxmlrpc.php HTTP/1.0" 404 282 "-" "-"
[edit] Recommended Actions:
This attack is being blocked, no further actions are necessary.
