Maybe create a custom rule identical to the rule shown but insert source or
destination IP addresses as needed
On 6/6/07, FRANCIS PROVENCHER <[EMAIL PROTECTED]> wrote:
>
>
> Hi all, im new in the Ossec World.
>
> My Ossec installation watch for NIDS (Snort) log alert's in the
> /var/log/message/.
>
> I'v install the Web interface for Ossec..all work great! Except, when i
> make an F5 (or when the web interface reload by itself) to the Web interface
> to see if alerts was added, snort interpret it, like an "attack". I always
> received this error;
>
> 2007 Jun 06 15:16:39 Rule Id: 20101 level: 6
> Location: (************) 10.*.*.6->/var/log/messages
> IDS event.
>
> Jun 6 15:16:38 ******** snort[11669]: [1:882:5] WEB-CGI calendar
> access [Classification: Attempted Information Leak] [Priority: 2]: {TCP}
> 10.*.*.2:34282 -> 10.*.*.6:80
>
> How i can stop to log this false positive?
>
> Sorry if the question have been ask before, i'v google some time but found
> nothing about it.
>
> Thanks all
>
>
>
> Francis Provencher
> Ministère de la Sécurité publique du Québec
> Direction des technologies de l'information
> Division de la sécurité informatique
> Tél: 1 418 646-3258
> Courriel: [EMAIL PROTECTED]
>
> CEH - Certified Ethical Hackers
> SSCP - System Security Certified Practitionner
> Sec+ - Security +
>
