I recently installed Ossec but am receiving a lot of false positives from splunk (log below) with the highest alert level 12.
Is there any way to exclude these from ossec somewhere?
OSSEC HIDS Notification.
2007 Jul 12 22:35:18
Received From:
XXXXXXX->/var/www/vhosts/XXXXXX/statistics/logs/access_log
Rule: 31106 fired (level 12) -> "A web attack returned code 200
(success)." Portion of the log(s):
213.219.188.224 - XXXX [12/Jul/2007:22:35:16 +0200] "GET
/v2/splunk/search?q=page%200-10000%2010000%20%20%5B%20bundle%20savedsear
ches%20%7C%20filter%20disabled%20!%3D%20%22true%22%20%7C%20rename%20quer
y%20AS%20term%20%7C%20fields%20name%2Cterm%20%7C%20sort%20name%20a%20%5D
%20%20%7C%20outputxml%20autolimit%3A%3A350%20%22timeformat%3A%3A%25m%2F%
25d%2F%25Y%20%25H%3A%25M%3A%25S%22&xsl=s_metadata.xsl HTTP/1.1" 200
10521 "XXXXXXX" "Mozilla/5.0 (Windows; U; Windows NT
5.1; nl; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4"
--END OF NOTIFICATION
________ Disclaimer: This e-mail is intended for the exclusive use by the person(s) mentioned as recipient(s). This e-mail and its attachments, if any, contain confidential information and/or information protected by intellectual property rights or other rights. This e-mail does not constitute any commitment for ING or its subsidiaries except when expressly otherwise agreed in a written agreement between the intended recipient and the originating subsidiaries of ING, sender of the mail. If you receive this message by mistake, please, notify the sender with the "reply" option and delete immediately this e-mail from your system, and destroy all copies of it. You may not, directly or indirectly, use, disclose, distribute, print or copy, this e-mail or any part of it if you are not the intended recipient. You have to take at any time all necessary measures against viruses.