Gerhard Vissie Visser
2018-10-22 07:45:39 UTC
Hi. I would like to just some advice if I may.
I get this email notification maybe twice a day.
OSSEC HIDS Notification.
2018 Oct 20 14:18:33
Received From: server->/var/log/nginx/access.log
Rule: 31122 fired (level 5) -> "Web server 500 error code (Internal Error)."
Src IP: 12.345.67.89
Portion of the log(s):
12.345.67.89 - - [20/Oct/2018:14:18:32 +0200] "GET /rest/system/upgrade
HTTP/2.0" 500 322 "https://server.me.com/" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
--END OF NOTIFICATION
The source IP is my workstation. So I know this is not a attack of sorts.
This is after I installed a specific application and setup a reverse proxy
for it (https://server.me.com)
I have also white listed my IP (12.345.67.89)
To try and hide this message, I created a custom rule:
<rule id="31122" level="0">
<if_sid>31120</if_sid>
<id>^500</id>
<srcip>12.345.67.89</srcip>
<description>Web server 500 error code (Internal Error).</description>
</rule>
I can not pickup that anything is blocked, my app works like I would have
expected. The only thing is these emails that I get. Besides that I could
not have picked up any negativity.
I still need to see if this makes a difference.
My questions:
1. Was this the right thing to do?
2. Did I write the rule correctly?
3. This rule seem to be very generic (^500). Can I somehow be more specific?
Maybe say that all 500 errors from/on app "https://server.me.com"? If so,
how?
4. Any other advice that would have resulted in a better outcome maybe?
As I am still new at OSSEC, advice will really be appreciated.
Vissie
I get this email notification maybe twice a day.
OSSEC HIDS Notification.
2018 Oct 20 14:18:33
Received From: server->/var/log/nginx/access.log
Rule: 31122 fired (level 5) -> "Web server 500 error code (Internal Error)."
Src IP: 12.345.67.89
Portion of the log(s):
12.345.67.89 - - [20/Oct/2018:14:18:32 +0200] "GET /rest/system/upgrade
HTTP/2.0" 500 322 "https://server.me.com/" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
--END OF NOTIFICATION
The source IP is my workstation. So I know this is not a attack of sorts.
This is after I installed a specific application and setup a reverse proxy
for it (https://server.me.com)
I have also white listed my IP (12.345.67.89)
To try and hide this message, I created a custom rule:
<rule id="31122" level="0">
<if_sid>31120</if_sid>
<id>^500</id>
<srcip>12.345.67.89</srcip>
<description>Web server 500 error code (Internal Error).</description>
</rule>
I can not pickup that anything is blocked, my app works like I would have
expected. The only thing is these emails that I get. Besides that I could
not have picked up any negativity.
I still need to see if this makes a difference.
My questions:
1. Was this the right thing to do?
2. Did I write the rule correctly?
3. This rule seem to be very generic (^500). Can I somehow be more specific?
Maybe say that all 500 errors from/on app "https://server.me.com"? If so,
how?
4. Any other advice that would have resulted in a better outcome maybe?
As I am still new at OSSEC, advice will really be appreciated.
Vissie
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.