On 6/6/07, FRANCIS PROVENCHER <[EMAIL PROTECTED]> wrote:
>
> I'v install the Web interface for Ossec..all work great! Except, when i
> make an F5 (or when the web interface reload by itself) to the Web interface
> to see if alerts was added, snort interpret it, like an "attack". I always
> received this error;
>
> 2007 Jun 06 15:16:39 Rule Id: 20101 level: 6
> Location: (************) 10.*.*.6->/var/log/messages
> IDS event.
>
> Jun 6 15:16:38 ******** snort[11669]: [1:882:5] WEB-CGI calendar
> access [Classification: Attempted Information Leak] [Priority: 2]: {TCP}
> 10.*.*.2:34282 -> 10.*.*.6:80
>
> How i can stop to log this false positive?
This Snort signature is a very common false positive and my recommendation
is to disable it. It trigers on ANY uri with /calendar in it, such as any
of these:
http://www.yahoo.com/calendar/foo
http://www.yahoo.com/calendar/
http://www.yahoo.com/foo/calendar/foo
http://www.yahoo.com/calendarzzzaaadddeee.html
http://www.yahoo.com/calendarqwer
http://www.yahoo.com/calendarqwer.html
http://www.yahoo.com/foo/calendarzzyyxx/foo
On a related note - I have been in process with releasing an updated Snort
config which incorporates false positive reduction from a variety of sources
including honeynet projects.
The problem with Snort, or any other IDS for that matter, is that there are
many false positives and significant tuning is required by each user. But
what we can do is take input from a variety of contributors and base on that
tune out the most common false positives. In some cases, we modify the
Snort signatures itself or modify the threshold rather than disabling the
signature.
I'll post info to this list when this project is ready for public release.
Anyone who wants to contribute Snort alert data, please contact me offlist.
Tom
