Monthly Archives: May 2012

Faking (all) user agents

If you are going to fake a user agent, do it right :) Seeing some web scanners faking all possible browsers out there in one single request: Firefox/3.6 Chrome/9 Firefox/3.0 Opera/9.99? Safari and more.. This is the actual log (searching … Continue reading

Posted in log analysis, webattacks | Tagged , , | Leave a comment

OSSEC rule for the PHP-CGI vulnerability

I am seeing many scans for the PHP-CGI vulnerability in the wild and put up a quick OSSEC rule to detect/block those: <rule id=”31110″ level=”6″> <if_sid>31100</if_sid> <url>?-d|?-s|?-a|?-b|?-w</url> <description>PHP CGI-bin vulnerability attempt.</description> <group>attack,</group> </rule>   It looks for the possibly dangerous … Continue reading

Posted in ossec, webattacks | Tagged , , | Leave a comment

Database Logging (PostgreSQL and MySQL)

Nobody cares about database logging, but I really recommend enabling them to see what is happening behind the scenes (specially for web applications). To enable on PostgreSQL (and be compatible with OSSEC): # Adding the timestamp, hostname and database. log_line_prefix … Continue reading

Posted in log analysis, ossec | Tagged , , , | Leave a comment