I am trying to figure out how to properly deal with Rule 31106 false
positives. The main issue is Rule 31103 which triggers on matches as
simple as '%20from%20' and '%20where%20'. This is very common in URLs on a
Drupal site using webform where these words appear in a form label.
Instead of just disabling Rule 31106 entirely I would prefer to adjust
things. The first thing I want to try is have Rule 31103 only trigger if
one of the words SELECT, UPDATE or INSERT is _also_ in the URL as well as
one of the other <url> patterns already in the rule matching. But I don't
see how logical AND operation when ossec rules seem to only work as a
logical OR. Or how to do a logical NOT operation. For example I would
like to put something in local_rules.xml like
<rule id="100301" level="0">
<if_sid>31103</if_sid>
<not><url>select%20|select+|update%20|update+|insert%20|insert+</url></not>
</rule>
so rule 31103 is suppressed if one of these 3 words is not in the URL.
Also it is not clear to me if this would actually then exclude URLs that DO
still trigger 31103 from being included in 31106.
Thanks
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
