[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] Re: Stop blocking false positive bruteforce event.
From: Naithan Weigh <naithanweigh () gmail ! com>
Date: 2015-06-18 15:06:14
Message-ID: 4cc92758-f923-4a4b-b4d0-970386855e58 () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
It seems good so far, at least it doesnt block it anymore when updating
forms.
Now just wait and wait for the next bruteforce to see if that still gets
blocked.
But I don't see how it would not.
Thanks for the quick help dan!
On Thursday, June 18, 2015 at 4:57:32 PM UTC+2, Naithan Weigh wrote:
>
> Thanks, I will try and post results.
>
> On Thursday, June 18, 2015 at 4:25:47 PM UTC+2, Naithan Weigh wrote:
> >
> > Hi
> >
> > I'm running into an issue where the active-response is seeing a
> > bruteforce attempt when this is not the case.
> >
> > When using a certain joomla plugin the logs pick up the following
> >
> >
> > Received From: (SRV) SERVER->/mnt/data/vhosts/WEBSITE.info/logs/access_log
> >
> > Rule: 31510 fired (level 8) -> "CMS (WordPress or Joomla) brute force
> > attempt."
> >
> > Portion of the log(s):
> >
> >
> > 78.133.70.43 - - [12/Jun/2015:18:11:50 +0100] "POST
> > /administrator/index.php HTTP/1.1" 200 159 "
> > http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 \
> > <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" \
> > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
> > Chrome/43.0.2357.124 Safari/537.36"
> >
> > 78.133.70.43 - - [12/Jun/2015:18:11:49 +0100] "POST
> > /administrator/index.php HTTP/1.1" 200 159 "
> > http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 \
> > <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" \
> > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
> > Chrome/43.0.2357.124 Safari/537.36"
> >
> > 78.133.70.43 - - [12/Jun/2015:18:11:48 +0100] "POST
> > /administrator/index.php HTTP/1.1" 200 159 "
> > http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 \
> > <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" \
> > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
> > Chrome/43.0.2357.124 Safari/537.36"
> >
> > 78.133.70.43 - - [12/Jun/2015:18:11:47 +0100] "POST
> > /administrator/index.php HTTP/1.1" 200 159 "
> > http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 \
> > <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" \
> > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
> > Chrome/43.0.2357.124 Safari/537.36"
> >
> > 78.133.70.43 - - [12/Jun/2015:18:11:45 +0100] "POST
> > /administrator/index.php HTTP/1.1" 200 159 "
> > http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 \
> > <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" \
> > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
> > Chrome/43.0.2357.124 Safari/537.36"
> >
> > 78.133.70.43 - - [12/Jun/2015:18:11:44 +0100] "POST
> > /administrator/index.php HTTP/1.1" 200 159 "
> > http://WEBSITE.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1 \
> > <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>" \
> > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
> > Chrome/43.0.2357.124 Safari/537.36"
> >
> > 78.133.70.43 - - [12/Jun/2015:18:11:43 +0100] "POST
> > /administrator/index.php HTTP/1.1" 200 159 "
> > http://WEBSITE.info/administrator/index.php?option=com_breezingf
> > <http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1>
> >
> > ...
>
>
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #5 (text/html)]
<div dir="ltr">It seems good so far, at least it doesnt block it anymore when \
updating forms. <br>Now just wait and wait for the next bruteforce to see if that \
still gets blocked.<br>But I don't see how it would not. <br><br>Thanks for the quick \
help dan!<br><br>On Thursday, June 18, 2015 at 4:57:32 PM UTC+2, Naithan Weigh \
wrote:<blockquote class="gmail_quote" style="margin: 0;margin-left: \
0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;"><div dir="ltr">Thanks, I will \
try and post results.<br><br>On Thursday, June 18, 2015 at 4:25:47 PM UTC+2, Naithan \
Weigh wrote:<blockquote class="gmail_quote" \
style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex"><div \
dir="ltr">Hi<br><br>I'm running into an issue where the active-response is seeing a \
bruteforce attempt when this is not the case. <br><br>When using a certain joomla \
plugin the logs pick up the following <br>
<p><br></p><p>Received From: (SRV) \
SERVER->/mnt/data/vhosts/<wbr>WEBSITE.info/logs/access_log</p>
<p>Rule: 31510 fired (level 8) -> "CMS (WordPress or
Joomla) brute force attempt."</p>
<p>Portion of the log(s):</p>
<br><br>
<p>78.133.70.43 - - [12/Jun/2015:18:11:50 +0100] "POST
/administrator/index.php HTTP/1.1" 200 159 "<a \
href="http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1" \
rel="nofollow" target="_blank" \
onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Feuropeanfunds.info% \
2Fadministrator%2Findex.php%3Foption%3Dcom_breezingforms%26format%3Dhtml%26act%3Dquick \
mode%26formName%3DTraining_Registration_Form%26form%3D1\46sa\75D\46sntz\0751\46usg\75AFQjCNFdMYzuD8rR3WBijy3O38ggeik8Dg';return \
true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Feuropeanfunds.in \
fo%2Fadministrator%2Findex.php%3Foption%3Dcom_breezingforms%26format%3Dhtml%26act%3Dqu \
ickmode%26formName%3DTraining_Registration_Form%26form%3D1\46sa\75D\46sntz\0751\46usg\75AFQjCNFdMYzuD8rR3WBijy3O38ggeik8Dg';return \
true;">http://WEBSITE.info/<wbr>administrator/index.php?<wbr>option=com_breezingforms& \
amp;<wbr>format=html&act=quickmode&<wbr>formName=Training_<wbr>Registration_Form&form=1</a>"
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/43.0.2357.124 Safari/537.36"</p>
<p>78.133.70.43 - - [12/Jun/2015:18:11:49 +0100] "POST
/administrator/index.php HTTP/1.1" 200 159 "<a \
href="http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1" \
rel="nofollow" target="_blank" \
onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Feuropeanfunds.info% \
2Fadministrator%2Findex.php%3Foption%3Dcom_breezingforms%26format%3Dhtml%26act%3Dquick \
mode%26formName%3DTraining_Registration_Form%26form%3D1\46sa\75D\46sntz\0751\46usg\75AFQjCNFdMYzuD8rR3WBijy3O38ggeik8Dg';return \
true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Feuropeanfunds.in \
fo%2Fadministrator%2Findex.php%3Foption%3Dcom_breezingforms%26format%3Dhtml%26act%3Dqu \
ickmode%26formName%3DTraining_Registration_Form%26form%3D1\46sa\75D\46sntz\0751\46usg\75AFQjCNFdMYzuD8rR3WBijy3O38ggeik8Dg';return \
true;">http://WEBSITE.info/<wbr>administrator/index.php?<wbr>option=com_breezingforms& \
amp;<wbr>format=html&act=quickmode&<wbr>formName=Training_<wbr>Registration_Form&form=1</a>"
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/43.0.2357.124 Safari/537.36"</p>
<p>78.133.70.43 - - [12/Jun/2015:18:11:48 +0100] "POST
/administrator/index.php HTTP/1.1" 200 159 "<a \
href="http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1" \
rel="nofollow" target="_blank" \
onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Feuropeanfunds.info% \
2Fadministrator%2Findex.php%3Foption%3Dcom_breezingforms%26format%3Dhtml%26act%3Dquick \
mode%26formName%3DTraining_Registration_Form%26form%3D1\46sa\75D\46sntz\0751\46usg\75AFQjCNFdMYzuD8rR3WBijy3O38ggeik8Dg';return \
true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Feuropeanfunds.in \
fo%2Fadministrator%2Findex.php%3Foption%3Dcom_breezingforms%26format%3Dhtml%26act%3Dqu \
ickmode%26formName%3DTraining_Registration_Form%26form%3D1\46sa\75D\46sntz\0751\46usg\75AFQjCNFdMYzuD8rR3WBijy3O38ggeik8Dg';return \
true;">http://WEBSITE.info/<wbr>administrator/index.php?<wbr>option=com_breezingforms& \
amp;<wbr>format=html&act=quickmode&<wbr>formName=Training_<wbr>Registration_Form&form=1</a>"
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/43.0.2357.124 Safari/537.36"</p>
<p>78.133.70.43 - - [12/Jun/2015:18:11:47 +0100] "POST
/administrator/index.php HTTP/1.1" 200 159 "<a \
href="http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1" \
rel="nofollow" target="_blank" \
onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Feuropeanfunds.info% \
2Fadministrator%2Findex.php%3Foption%3Dcom_breezingforms%26format%3Dhtml%26act%3Dquick \
mode%26formName%3DTraining_Registration_Form%26form%3D1\46sa\75D\46sntz\0751\46usg\75AFQjCNFdMYzuD8rR3WBijy3O38ggeik8Dg';return \
true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Feuropeanfunds.in \
fo%2Fadministrator%2Findex.php%3Foption%3Dcom_breezingforms%26format%3Dhtml%26act%3Dqu \
ickmode%26formName%3DTraining_Registration_Form%26form%3D1\46sa\75D\46sntz\0751\46usg\75AFQjCNFdMYzuD8rR3WBijy3O38ggeik8Dg';return \
true;">http://WEBSITE.info/<wbr>administrator/index.php?<wbr>option=com_breezingforms& \
amp;<wbr>format=html&act=quickmode&<wbr>formName=Training_<wbr>Registration_Form&form=1</a>"
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/43.0.2357.124 Safari/537.36"</p>
<p>78.133.70.43 - - [12/Jun/2015:18:11:45 +0100] "POST
/administrator/index.php HTTP/1.1" 200 159 "<a \
href="http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1" \
rel="nofollow" target="_blank" \
onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Feuropeanfunds.info% \
2Fadministrator%2Findex.php%3Foption%3Dcom_breezingforms%26format%3Dhtml%26act%3Dquick \
mode%26formName%3DTraining_Registration_Form%26form%3D1\46sa\75D\46sntz\0751\46usg\75AFQjCNFdMYzuD8rR3WBijy3O38ggeik8Dg';return \
true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Feuropeanfunds.in \
fo%2Fadministrator%2Findex.php%3Foption%3Dcom_breezingforms%26format%3Dhtml%26act%3Dqu \
ickmode%26formName%3DTraining_Registration_Form%26form%3D1\46sa\75D\46sntz\0751\46usg\75AFQjCNFdMYzuD8rR3WBijy3O38ggeik8Dg';return \
true;">http://WEBSITE.info/<wbr>administrator/index.php?<wbr>option=com_breezingforms& \
amp;<wbr>format=html&act=quickmode&<wbr>formName=Training_<wbr>Registration_Form&form=1</a>"
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/43.0.2357.124 Safari/537.36"</p>
<p>78.133.70.43 - - [12/Jun/2015:18:11:44 +0100] "POST
/administrator/index.php HTTP/1.1" 200 159 "<a \
href="http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1" \
rel="nofollow" target="_blank" \
onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Feuropeanfunds.info% \
2Fadministrator%2Findex.php%3Foption%3Dcom_breezingforms%26format%3Dhtml%26act%3Dquick \
mode%26formName%3DTraining_Registration_Form%26form%3D1\46sa\75D\46sntz\0751\46usg\75AFQjCNFdMYzuD8rR3WBijy3O38ggeik8Dg';return \
true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Feuropeanfunds.in \
fo%2Fadministrator%2Findex.php%3Foption%3Dcom_breezingforms%26format%3Dhtml%26act%3Dqu \
ickmode%26formName%3DTraining_Registration_Form%26form%3D1\46sa\75D\46sntz\0751\46usg\75AFQjCNFdMYzuD8rR3WBijy3O38ggeik8Dg';return \
true;">http://WEBSITE.info/<wbr>administrator/index.php?<wbr>option=com_breezingforms& \
amp;<wbr>format=html&act=quickmode&<wbr>formName=Training_<wbr>Registration_Form&form=1</a>"
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/43.0.2357.124 Safari/537.36"</p>
<p>78.133.70.43 - - [12/Jun/2015:18:11:43 +0100] "POST
/administrator/index.php HTTP/1.1" 200 159 "<a \
href="http://europeanfunds.info/administrator/index.php?option=com_breezingforms&format=html&act=quickmode&formName=Training_Registration_Form&form=1" \
rel="nofollow" target="_blank" \
onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Feuropeanfunds.info% \
2Fadministrator%2Findex.php%3Foption%3Dcom_breezingforms%26format%3Dhtml%26act%3Dquick \
mode%26formName%3DTraining_Registration_Form%26form%3D1\46sa\75D\46sntz\0751\46usg\75AFQjCNFdMYzuD8rR3WBijy3O38ggeik8Dg';return \
true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Feuropeanfunds.in \
fo%2Fadministrator%2Findex.php%3Foption%3Dcom_breezingforms%26format%3Dhtml%26act%3Dqu \
ickmode%26formName%3DTraining_Registration_Form%26form%3D1\46sa\75D\46sntz\0751\46usg\75AFQjCNFdMYzuD8rR3WBijy3O38ggeik8Dg';return \
true;">http://WEBSITE.info/<wbr>administrator/index.php?<wbr>option=com_breezingf</a></p></div>...</blockquote></div></blockquote></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
------=_Part_5_1180993827.1434639974702--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic