Hi dan, thanks a lot for the hint.
I have put it into local_rules.xml. Kind regards, Andre On 28 Sep., 14:33, "dan (ddp)" <[email protected]> wrote: > <rule id="SOMETHING" level="0"> > <if_sid>31106</if_sid> > <match>Form%20</match> > <description>Ignore Form%20</description> > </rule> > > ? > > > > > > > > On Wed, Sep 28, 2011 at 7:00 AM, andre.pietsch <[email protected]> wrote: > > Hi, > > > i have a wordpress installed and use piwik to log the usage of it. > > > In my wordpress I have an artikle about a "Contact Form with > > reCAPTCHA". Piwik logs it and transforms the headline to "...Contact > > %20Form%20with%20reCAPTCHA...". > > > OSSEC has rules 31104 (level 6) and rule 31106 (level 6 with if_sid > > 31104) in the web_rules.xml. Rule 31104 says that something like "rm > > %20" is bad and finds it in my piwik request under "...Form%20...". > > That is a false positive. Because my configuration is told to block > > everything from level 6 and up people who visit my artikle are > > blocked. > > > Is it possible to rewrite one of the rules or add another rule to tell > > OSSEC to ignore "Form%20" but not "rm%20"? > > > I would appreciate any hint. > > > Kind regards > > > Andre
