Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apache rule incorrect #886

Open
inf0rmix opened this issue Nov 11, 2024 · 0 comments
Open

Apache rule incorrect #886

inf0rmix opened this issue Nov 11, 2024 · 0 comments

Comments

@inf0rmix
Copy link

The current apache rule for failed login is currently not matching due to a wrong sid:

30302

when I change the id to 30301 , the rule is correctly matched:

echo '[Mon Nov 11 12:27:53.796423 2024] [auth_basic:error] [pid 2483913:tid 2483939] [client xxx:57536] AH01617: user xxx: authentication failure for "/": Password Mismatch' | /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.9.0
Type one log per line

**Phase 1: Completed pre-decoding.
full event: '[Mon Nov 11 12:27:53.796423 2024] [auth_basic:error] [pid 2483913:tid 2483939] [client xxx:57536] AH01617: user xxx: authentication failure for "/": Password Mismatch'

**Phase 2: Completed decoding.
name: 'apache-errorlog'
parent: 'apache-errorlog'
id: 'AH01617'
srcip: 'xxx'
srcport: '57536'

**Phase 3: Completed filtering (rules).
id: '30308'
level: '5'
description: 'Apache: User authentication failed.'
groups: '['apache', 'web', 'authentication_failed']'
firedtimes: '1'
gdpr: '['IV_35.7.d', 'IV_32.2']'
gpg13: '['7.1']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.14', 'AC.7']'
pci_dss: '['10.2.4', '10.2.5']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'

all tested with wazuh release 4.9.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@inf0rmix