Hi Andy,
The best way to ignore those is to write a local rule to ignore the
event, instead of
just ignoring them for the active response. Since you know it is a
false positive, you
don't need to be seeing alerts about them.
Something like that would work (just copy to your local_rules.xml):
<rule id="100101" level="0">
<if_sid>31101</if_sid>
<url>url1_to_ignore|url2_to_ignore</url>
<description>Ignoring false positives...</description>
</rule>
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> Although it's good to enable active response for just the rules you
> want - is there a way to do the opposite that allows you to add a rule
> that won't fire off active response (like an exception list).
>
> For example I am getting a lot of web customers who have embedded
> javascript code in their HTML files that does not exsit - hence
> triggering Rule: 31151 (level 10) -> 'Mutiple web server 400 error
> codes from same source ip.'. Because I have active response turned on,
> these unknowing customer's IPs are blocked after browsing to a few
> pages within the site because the web server can't find that java
> scripts. I know it's bad coding but is there a way to exclude this
> rule from triggering active response without having to turn active
> response off.
>
> Thanks.
>
> Andy
>
>
