On Thu, Aug 28, 2014 at 10:30 AM, Paul Raines <[email protected]> wrote: > I am trying to figure out how to properly deal with Rule 31106 false > positives. The main issue is Rule 31103 which triggers on matches as simple > as '%20from%20' and '%20where%20'. This is very common in URLs on a Drupal > site using webform where these words appear in a form label. > > Instead of just disabling Rule 31106 entirely I would prefer to adjust > things. The first thing I want to try is have Rule 31103 only trigger if > one of the words SELECT, UPDATE or INSERT is _also_ in the URL as well as > one of the other <url> patterns already in the rule matching. But I don't > see how logical AND operation when ossec rules seem to only work as a > logical OR. Or how to do a logical NOT operation. For example I would > like to put something in local_rules.xml like > > <rule id="100301" level="0"> > <if_sid>31103</if_sid> > > <not><url>select%20|select+|update%20|update+|insert%20|insert+</url></not> > </rule> > > so rule 31103 is suppressed if one of these 3 words is not in the URL. > > Also it is not clear to me if this would actually then exclude URLs that DO > still trigger 31103 from being included in 31106. >
There's no way to do an AND or NOT. For AND, use multiple rules: rule 1: <match>first thing</match> rule2: <if_sid>rule 1</if_sid> <match>second thing</match> For NOT, use multiple rules, but have the second rule (what would be the NOT) set the level to 0. > Thanks > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
