It looks ok to me. Are most of the examples of this firing related to the term "midterm"? If so, you could filter that out specifically.
On Thu, Apr 8, 2010 at 3:16 PM, Joe Burleson <[email protected]> wrote: > Hello, > > This is the first time I have had to tune a rule and I'm not entirely sure > how to adjust for this. > > ossec is firing > > Rule: 31106 fired (level 12) -> "A web attack returned code 200 (success)." > Portion of the log(s): > > [08/Apr/2010:12:51:41 -0500] "GET > /resources/12706692804bbcdfe0c656e/Excel%20Project%201%20-%20Midterm%20Gradebook%20Completed.zip > HTTP/1.1" 200 18824 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; > WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR > 3.5.30729)" > > The "Midterm%20" part of the url is matching against this part of rule > 31104: <url>cat%|exec%|rm%20</url> > > I know the simple (and maybe the best) solution would be to not use spaces > in file names, however, convincing professors and students to do that is not > an easy task. > > What I would like to do is create a custom rule in local_rules.xml, but I > not sure if using a simple regex is the best solution. Here is what I was > thinking: > > <group name="web,accesslog,"> > > <rule id="100001" level="0"> > <if_sid>31106</if_sid> > <regex>\Wrm%20</regex> > <description>Word ending with rm%20 (false positive)</description> > > <group name="attack,"></group> > </rule> > </group> > > Any improvements/suggestions would be greatly appreciated. > > Thanks > > Joe Burleson > Department of Computer Science > Arkansas State University > -- To unsubscribe, reply using "remove me" as the subject.
