Hi Clayton, I think I replied to you already about this a while back, so take a look at:
http://www.mail-archive.com/[email protected]/msg02829.html Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Jan 25, 2008 4:24 PM, Clayton Dillard <[EMAIL PROTECTED]> wrote: > > We host SugarCRM for many businesses and OSSEC doesn't like the long URLs > that are pretty normal for SugarCRM. We get this same alert for 'normal' > Sugar traffic multiple times each day. > > Does anyone have any ideas on how to reduce false positives in our > situation? > > Sample Alert > > OSSEC HIDS Notification. > 2008 Jan 07 17:32:10 > > Received From: (sugar-server1) > 101.1.199.20->/usr/local/apache2/logs/access_log > Rule: 31106 fired (level 12) -> "A web attack returned code 200 (success)." > Portion of the log(s): > > "GET > /jtr/index.php?module=Leads&action=Import&step=last&return_module=Leads&return_action=index&message=Success%3A%3CBR%3E%3Cb%3E32%3C%2Fb%3E++Succesfully+Imported%3Cbr%3E%3Cb%3E0%3C%2Fb%3E+records+skipped+because+the+id%27s+either+existed+or+where+longer+than+36+characters%3Cbr%3E%3Cb%3E0%3C%2Fb%3E+records+skipped+because+they+were+missing+one+or+more+required+fields%3CBR%3E%3Cb%3E15%3C%2Fb%3E++Duplicates+Found&duplink=cache/import/ImportErrorFile_Leads_17173.csv > HTTP/1.1" 200 11568 "http://sugar.abc-corp.com/jtr/index.php"; "Mozilla/5.0 > (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.11) Gecko/20071127 > Firefox/2.0.0.11" > > Thank you, > > > > Clayton Taylor Dillard > > http://hspcd.blogspot.com/
