We host SugarCRM for many businesses and OSSEC doesn't like the long URLs and the strange characters that are pretty normal for SugarCRM. We get this same alert for 'normal' Sugar traffic multiple times each day.
Does anyone have any crafty ideas on how to reduce false positives in our situation? Sample Alert OSSEC HIDS Notification. 2008 Jan 07 17:32:10 Received From: (sugar-server1) 101.1.199.20->/usr/local/apache2/logs/access_log Rule: 31106 fired (level 12) -> "A web attack returned code 200 (success)." Portion of the log(s): "GET /jtr/index.php?module=Leads&action=Import&step=last&return_module=Leads&return_action=index&message=Success%3A%3CBR%3E%3Cb%3E32%3C%2Fb%3E++Succesfully+Imported%3Cbr%3E%3Cb%3E0%3C%2Fb%3E+records+skipped+because+the+id%27s+either+existed+or+where+longer+than+36+characters%3Cbr%3E%3Cb%3E0%3C%2Fb%3E+records+skipped+because+they+were+missing+one+or+more+required+fields%3CBR%3E%3Cb%3E15%3C%2Fb%3E++Duplicates+Found&duplink=cache/import/ImportErrorFile_Leads_17173.csv HTTP/1.1" 200 11568 "http://sugar.rpstechnology.com/jtr/index.php"; "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11" Thank you, Clay
