<rule id="SOMETHING" level="0"> <if_sid>31106</if_sid> <match>Form%20</match> <description>Ignore Form%20</description> </rule>
? On Wed, Sep 28, 2011 at 7:00 AM, andre.pietsch <[email protected]> wrote: > Hi, > > i have a wordpress installed and use piwik to log the usage of it. > > In my wordpress I have an artikle about a "Contact Form with > reCAPTCHA". Piwik logs it and transforms the headline to "...Contact > %20Form%20with%20reCAPTCHA...". > > OSSEC has rules 31104 (level 6) and rule 31106 (level 6 with if_sid > 31104) in the web_rules.xml. Rule 31104 says that something like "rm > %20" is bad and finds it in my piwik request under "...Form%20...". > That is a false positive. Because my configuration is told to block > everything from level 6 and up people who visit my artikle are > blocked. > > Is it possible to rewrite one of the rules or add another rule to tell > OSSEC to ignore "Form%20" but not "rm%20"? > > I would appreciate any hint. > > Kind regards > > > Andre >
