[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: False positive

To: "ossec-list@xxxxxxxxxxxxxxxx" <ossec-list@xxxxxxxxxxxxxxxx>
Subject: [ossec-list] Re: False positive
From: Nathan Fowler <nathan.fowler@xxxxxxxxxxxxxx>
Date: Fri, 13 Jul 2007 08:37:09 -0500
Cc: "ossec-list@xxxxxxxxx" <ossec-list@xxxxxxxxx>
Content-transfer-encoding: quoted-printable

In local_rules.xml add:

<group name="web">
         <!-- 500 error rules -->
         <rule id="10000001" level="0">
             <if_sid>31106</if_sid>
             <hostname>213.219.188.224</hostname>
	    <match>splunk</match>
             <description>Splunk events ignore</description>
         </rule>
</group>

manu.delcon@xxxxxx wrote:
> I recently installed Ossec but am receiving a lot of false positives 
> from splunk (log below) with the highest alert level 12.
> 
> Is there any way to exclude these from ossec somewhere?
> 
> OSSEC HIDS Notification.
> 2007 Jul 12 22:35:18
> 
> Received From:
> XXXXXXX->/var/www/vhosts/XXXXXX/statistics/logs/access_log
> Rule: 31106 fired (level 12) -> "A web attack returned code 200
> (success)." Portion of the log(s):
> 
> 213.219.188.224 - XXXX [12/Jul/2007:22:35:16 +0200] "GET
> /v2/splunk/search?q=page%200-10000%2010000%20%20%5B%20bundle%20savedsear
> ches%20%7C%20filter%20disabled%20!%3D%20%22true%22%20%7C%20rename%20quer
> y%20AS%20term%20%7C%20fields%20name%2Cterm%20%7C%20sort%20name%20a%20%5D
> %20%20%7C%20outputxml%20autolimit%3A%3A350%20%22timeformat%3A%3A%25m%2F%
> 25d%2F%25Y%20%25H%3A%25M%3A%25S%22&xsl=s_metadata.xsl HTTP/1.1" 200
> 10521 "XXXXXXX" "Mozilla/5.0 (Windows; U; Windows NT
> 5.1; nl; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4"
> 
>  --END OF NOTIFICATION
> 
> 
> 
> ________
> Disclaimer: This e-mail is intended for the exclusive use by the person(s)
>  mentioned as recipient(s). 
> This e-mail and its attachments, if any, contain confidential information 
> and/or information protected by intellectual property rights or other rights.
> This e-mail does not constitute any commitment for ING or its subsidiaries 
> except when expressly otherwise agreed in a written agreement between the 
> intended recipient and the originating subsidiaries of ING, sender of the mail.
> If you receive this message by mistake, please, notify the sender with the 
> "reply" option and delete immediately this e-mail from your system, and 
> destroy all copies of it.
> You may not, directly or indirectly, use, disclose, distribute, print or copy,
>  this e-mail or any part of it if you are not the intended recipient.
> You have to take at any time all necessary measures against viruses.

References:
- [ossec-list] False positive
  - From: manu.delcon

Prev by Date: [ossec-list] Re: False positive
Next by Date: [ossec-list] Scripts for use with cfengine & ossec
Previous by thread: [ossec-list] Re: False positive
Next by thread: [ossec-list] Scripts for use with cfengine & ossec
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.