[ossec-list] Re: Question about Snort False positive

To: ossec-list@xxxxxxxxxxxxxxxx

Subject: [ossec-list] Re: Question about Snort False positive

From: "Tim Slighter" <tcslighter@xxxxxxxxx>

Date: Wed, 6 Jun 2007 13:40:32 -0700

Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=nepGlXS4E0sGtDFalDPHNxFGm6PRxf2RpKDOGb5o0pngtUVkrZ97KzIxeFB9yxfckja9Z/fV54EeYPgCxtZdRzPCK7ZmPaKKsjw8vmrCLXCEGgQ7n+liyNZ4y/LPE1OXUrUfp5zbg4DbP9yi4sVxiaE4uhctwyShbyXQ7kyDK1Q=

On 6/6/07, FRANCIS PROVENCHER < francis.provencher@xxxxxxxxxxxxxx> wrote:

Hi all, im new in the Ossec World.

My Ossec installation watch for NIDS (Snort) log alert's in the /var/log/message/.

I'v install the Web interface for Ossec..all work great! Except,  when i make an F5 (or when the web interface reload by itself) to the Web interface to see if alerts was added, snort interpret it, like an "attack". I always received this error;

2007 Jun 06 15:16:39 Rule Id: 20101 level: 6
Location: (************) 10.*.*.6->/var/log/messages
IDS event.

      Jun 6 15:16:38 ******** snort[11669]: [1:882:5] WEB-CGI calendar access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 10.*.*.2:34282 -> 10.*.*.6:80

How i can stop to log this false positive?

Sorry if the question have been ask before, i'v google some time but found nothing about it.

Thanks all

Francis Provencher
Ministère de la Sécurité publique du Québec
Direction des technologies de l'information
Division de la sécurité informatique
Tél: 1 418 646-3258
Courriel:   Francis.provencher@xxxxxxxxxxxxxx

CEH - Certified Ethical Hackers
SSCP - System Security Certified Practitionner
Sec+ - Security +

www.ossec.net

http://www.ossec.net/en/mailing_lists.html