[prev in list] [next in list] [prev in thread] [next in thread]
List: prelude-devel
Subject: Re: [prelude-devel] [Prelude Hybrid IDS] #216: mod_security
From: "Prelude Hybrid IDS" <noreply () prelude-ids ! org>
Date: 2007-06-06 11:26:33
Message-ID: 054.b61e719ce89cf658cd63b0aef14784fc () prelude-ids ! org
[Download RAW message or body]
#216: mod_security modifications
-------------------------+--------------------------------------------------
Reporter: gegomez | Owner: gegomez
Type: defect | Status: assigned
Priority: normal | Milestone: Prelude-LML 0.9.11
Component: prelude-lml | Version: 0.9
Severity: normal | Resolution:
Keywords: |
-------------------------+--------------------------------------------------
Comment (by anonymous):
Hello,
Here is my rule when using ModSecurity(2)
{{{
#LOG:May 31 11:51:09 server httpd[10634]: [error] [client 10.8.0.128]
ModSecurity: Access denied with code 400 (phase 2). Pattern match
"^[\\\\d\\\\.]+$" at REQUEST_HEADERS:Host. [id "960017"] [msg "Host header
is a numeric IP address"] [severity "CRITICAL"] [hostname "10.8.0.127"]
[uri "/blah"] [unique_id "CcdHJFKU22EAACmK5AcAAAAF"]
regex=\[client ([\d\.]+)\] ModSecurity: Access denied with code (\d+)
\(phase (\d+)\)\. Pattern match "(\S+)" (.+)\. \[id "(\d+)"\] \[msg
"(.+)"\] \[severity "(\S+)"\] \[hostname "([\S.]+)"\] \[uri "(.+)"\]
\[unique_id "(\S+)"\]; \
id=3108; \
revision=1; \
classification.ident = $11; \
classification.text=HTTP $5 ($4) Blocked; \
analyzer(0).name=ModSecurity; \
analyzer(0).manufacturer=www.modsecurity.org; \
analyzer(0).class=HIDS; \
assessment.impact.severity=$8; \
assessment.impact.completion=failed; \
assessment.impact.description=mod_security encountered an error: $7.; \
assessment.action(0).category = block-installed; \
assessment.impact.description=Access was blocked with HTTP response code
$2; \
source(0).service.iana_protocol_name=tcp; \
source(0).service.iana_protocol_number=6; \
source(0).node.address(0).category=ipv4-addr; \
source(0).node.address(0).address=$1; \
target(0).node.name=$9; \
target(0).service.iana_protocol_name=tcp; \
target(0).service.iana_protocol_number=6; \
target(0).service.name=http; \
target(0).service.web_service.url = $10; \
additional_data(0).type=integer; \
additional_data(0).meaning=HTTP code returned; \
additional_data(0).data=$2; \
additional_data(1).type=integer; \
additional_data(1).meaning=id; \
additional_data(1).data=$6; \
additional_data(2).type=integer; \
additional_data(2).meaning=phase; \
additional_data(2).data=$3; \
last
}}}
Regards,
Robin
--
Ticket URL: <https://trac.prelude-ids.org/ticket/216#comment:2>
Prelude Hybrid IDS <http://www.prelude-ids.org>
The Prelude Hybrid Intrusion Detection System suite
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic