Hoping someone can point me in the right direction.
In the default error log at /var/log/httpd/error_log, I'm getting repeated errors with no date/timestamp in between general "File does not exist" errors and ASL blocks.
Code: Select all
[Wed Apr 13 17:16:16 2016] [error] [client x.x.x.x File does not exist: /var/www/vhosts/default/htdocs/2011
[Wed Apr 13 17:23:21 2016] [error] [client x.x.x.x] ModSecurity: [file "/etc/httpd/modsecurity.d/20_asl_useragents.conf"] [line "191"] [id "332039"] [rev "4"] [msg "Atomicorp.com WAF Rules: Suspicious Unusual User Agent (python-requests). Disable this rule if you use python-requests/. "] [severity "CRITICAL"] Access denied with redirection to http://redirected.com?b=x.x.x.x^Vw5yeW2pO54AACA0o4wAAAAI^332039^20160413172321 using status 302 (phase 2). Pattern match "python-requests/" at REQUEST_HEADERS:User-Agent. [hostname "x.x.x.x"] [uri "/recordings/theme/iefixes.css"] [unique_id "Vw5yeW2pO54AACA0o4wAAAAI"]
XPath error : Invalid expression
XPath error : Invalid expression
XPath error : Invalid expression
XPath error : Invalid expression
XPath error : Invalid expression
XPath error : Invalid expression
XPath error : Invalid expression
XPath error : Invalid expression
[Wed Apr 13 18:24:42 2016] [error] [client x.x.x.x] ModSecurity: [file "/etc/httpd/modsecurity.d/20_asl_useragents.conf"] [line "353"] [id "333515"] [rev "4"] [msg "Atomicorp.com WAF Rules: MJ12 Distributed bot detected (Disable this rule if you want to allow this bot)"] [severity "ERROR"] [tag "no_ar"] Access denied with redirection to http://redirected.com?b=x.x.x.x^Vw6A2m2pO54AAEgBc7wAAAAJ^333515^20160413182442 using status 302 (phase 2). Pattern match "MJ12bot" at REQUEST_HEADERS:User-Agent. [hostname "mail.x.org"] [uri "/robots.txt"] [unique_id "Vw6A2m2pO54AAEgBc7wAAAAJ"]
With this, I'm getting close to 100 OSSEC HIDS notifications for rule 1002, which is doing it's job picking up general unknown problems.
Anything to help poin me in the right direction would be very much appreciated!