Difference between revisions of "OSSEC Rule: 31151"

From Atomicorp Wiki
Jump to: navigation, search
 
(3 intermediate revisions by one user not shown)
Line 1: Line 1:
 
== Abstract: ==
 
== Abstract: ==
 
Rule 31151 tracks multiple HTTP error code 400's. These are generally indicative of detecting worm, or generic exploit attacks against the IP address of the server.
 
Rule 31151 tracks multiple HTTP error code 400's. These are generally indicative of detecting worm, or generic exploit attacks against the IP address of the server.
 +
  
 
Example Alert:
 
Example Alert:
Line 11: Line 12:
 
   10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 308 "-" "-"
 
   10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 308 "-" "-"
 
   10.10.10.10 - - [28/May/2007:03:06:47 -0600] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 292 "-" "-"
 
   10.10.10.10 - - [28/May/2007:03:06:47 -0600] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 292 "-" "-"
 +
  10.10.10.10 - - [28/May/2007:03:06:46 -0600] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 292 "-" "-"
 +
  10.10.10.10 - - [28/May/2007:03:06:45 -0600] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 291 "-" "-"
 +
  10.10.10.10 - - [28/May/2007:03:06:46 -0600] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 292 "-" "-"
 +
  10.10.10.10 - - [28/May/2007:03:06:45 -0600] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 291 "-" "-"
 +
  10.10.10.10 - - [28/May/2007:03:06:44 -0600] "GET /adxmlrpc.php HTTP/1.0" 404 282 "-" "-"
  
  
 
== Recommended Actions: ==
 
== Recommended Actions: ==
 
This attack is being blocked, no further actions are necessary.
 
This attack is being blocked, no further actions are necessary.

Latest revision as of 12:48, 28 May 2007

[edit] Abstract:

Rule 31151 tracks multiple HTTP error code 400's. These are generally indicative of detecting worm, or generic exploit attacks against the IP address of the server.


Example Alert:

Received From: srv3->/etc/httpd/logs/access_log Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from same source ip." Portion of the log(s):

 10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 308 "-" "-"
 10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 308 "-" "-"
 10.10.10.10 - - [28/May/2007:03:06:47 -0600] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 292 "-" "-"
 10.10.10.10 - - [28/May/2007:03:06:46 -0600] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 292 "-" "-"
 10.10.10.10 - - [28/May/2007:03:06:45 -0600] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 291 "-" "-"
 10.10.10.10 - - [28/May/2007:03:06:46 -0600] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 292 "-" "-"
 10.10.10.10 - - [28/May/2007:03:06:45 -0600] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 291 "-" "-"
 10.10.10.10 - - [28/May/2007:03:06:44 -0600] "GET /adxmlrpc.php HTTP/1.0" 404 282 "-" "-"


[edit] Recommended Actions:

This attack is being blocked, no further actions are necessary.

Personal tools