The best way would be to tune the rule in snort. However, if for some reason that is not an option, you can add a rule to ignore in the local_rules.xml file:
http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules -- Isaac Straley Manager, IT Security Network and Academic Computing Services University of California, Irvine Office :: (949) 824-1471 Email :: [EMAIL PROTECTED] FRANCIS PROVENCHER wrote: > Hi all, im new in the Ossec World. > > My Ossec installation watch for NIDS (Snort) log alert's in the > /var/log/message/. > > I'v install the Web interface for Ossec..all work great! Except, when i make > an F5 (or when the web interface reload by itself) to the Web interface to > see if alerts was added, snort interpret it, like an "attack". I always > received this error; > > 2007 Jun 06 15:16:39 Rule Id: 20101 level: 6 > Location: (************) 10.*.*.6->/var/log/messages > IDS event. > > Jun 6 15:16:38 ******** snort[11669]: [1:882:5] WEB-CGI calendar access > [Classification: Attempted Information Leak] [Priority: 2]: {TCP} > 10.*.*.2:34282 -> 10.*.*.6:80 > > How i can stop to log this false positive? > > Sorry if the question have been ask before, i'v google some time but found > nothing about it. > > Thanks all > > > > Francis Provencher > Ministère de la Sécurité publique du Québec > Direction des technologies de l'information > Division de la sécurité informatique > Tél: 1 418 646-3258 > Courriel: [EMAIL PROTECTED] > > CEH - Certified Ethical Hackers > SSCP - System Security Certified Practitionner > Sec+ - Security +
