Hi Josh, Great suggestion, but I would recommend to use the "url" tag instead of the "match" to ignore these patterns.:
<rule id="100101" level="0"> <if_sid>31106</if_sid> <url>^/images/listing_photos</url> <description>Events ignored</description> </rule> Just add that to local_rules.xml and you should be good to go. *btw, I don't think that these rules are very likely to generate false positives, specially on Unix systems (where people don't use spaces for file names). It is matching on the %20from%20, which is commonly used on SQL injections... hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 6/19/07, Josh Drummond <[EMAIL PROTECTED]> wrote: > > Hi, > > You could add an ignore rule for that rule id #31106... look at > http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules for > details. I would not ignore that rule completely though, because the > last thing you want are false negatives, and that is a common > attack. Consider ignoring that rule id but only if you <match> > /images/ in the URL or something like that, its unlikely someone will > SQL Inject something in an images directory. > > HTH, > ~Josh > > At 02:15 PM 6/19/2007, [EMAIL PROTECTED] wrote: > > > >I just installed OSSEC in local mode on a server this morning that hosts a > >handful of domains. I'm getting the following false positive: > > > >** Alert 1182271050.356: mail - web,accesslog,attack, > >2007 Jun 19 09:37:30 122->/home/domain/logs/access_log > >Rule: 31106 (level 12) -> 'A web attack returned code 200 (success).' > >Src IP: 192.168.0.1 > >User: (none) > >192.168.0.1 - - [19/Jun/2007:09:37:29 -0700] "GET > >/images/listing_photos/thumb_11_house%20from%20gate.jpg HTTP/1.1" 200 8069 > > > >The log file entry is: > > > >192.168.0.1 - - [17/Jun/2007:15:42:18 -0700] "GET > >/images/listing_photos/thumb_11_house%20from%20gate.jpg HTTP/1.1" 200 8069 > > > >It looks like it's matching on rule 31106 in web_rules.xml due to the > >image file name containing the word "from" surrounded by spaces. I > >imagine the likelihood of this happening elsewhere is high. > > > >How best should I deal with the issue? > > > >Thanks. > >
