OSSEC Rule: 31151

From Atomicorp Wiki
Revision as of 12:45, 28 May 2007 by Scott (Talk | contribs)

Jump to: navigation, search

Abstract:

Rule 31151 tracks multiple HTTP error code 400's. These are generally indicative of detecting worm, or generic exploit attacks against the IP address of the server.


Example Alert:

Received From: srv3->/etc/httpd/logs/access_log Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from same source ip." Portion of the log(s): 

 10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 308 "-" "-"
 10.10.10.10 - - [28/May/2007:03:07:12 -0600] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 308 "-" "-"
 10.10.10.10 - - [28/May/2007:03:06:47 -0600] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 292 "-" "-"


Recommended Actions:

This attack is being blocked, no further actions are necessary.

Retrieved from "https://wiki.atomicorp.com/wiki/index.php?title=OSSEC_Rule:_31151&oldid=75"
Personal tools