bookmark_borderCode 200: Good or Bad?

Anton Chuvakin commented in his blog about a mistake that most analysts make when monitoring their logs: they only care about errors or failures and forget about the sucessful entries. The comment was regarding to web logs, but it applies to all formats.
He also asked about how to separate the interesting (security relevant) sucessful entries to the normal ones (valid access). This was my reply:

I also think that sucessful attempts should be checked and taken in consideration…

For 200 (sucess) return codes, it is very hard to separate the “bad” from the “good”, specially on dynamic web sites. To try to solve this problem, on ossec, we built a list of strings that are most of the time bad on URLs. For example, for sql injections, we use the following combination:

=’|select%20|insert%20|%20from%20|%20where%20|union%20

For cross site scripting, we use:

%3Cscript|%2Fscript|script>|script%3E|SRC=javascript|IMG%20|%20ONLOAD=|INPUT%20


We also have more *patterns for specific attacks, common worms , etc.

Btw, I also think that this analysis must be done on web proxy logs too.
On ossec we use that on our squid rules and we can easily detect
infected internal systems by their http requests…