Hi, i have a wordpress installed and use piwik to log the usage of it.
In my wordpress I have an artikle about a "Contact Form with reCAPTCHA". Piwik logs it and transforms the headline to "...Contact %20Form%20with%20reCAPTCHA...". OSSEC has rules 31104 (level 6) and rule 31106 (level 6 with if_sid 31104) in the web_rules.xml. Rule 31104 says that something like "rm %20" is bad and finds it in my piwik request under "...Form%20...". That is a false positive. Because my configuration is told to block everything from level 6 and up people who visit my artikle are blocked. Is it possible to rewrite one of the rules or add another rule to tell OSSEC to ignore "Form%20" but not "rm%20"? I would appreciate any hint. Kind regards Andre
