On 6/6/07, FRANCIS PROVENCHER <francis.provencher@xxxxxxxxxxxxxx> wrote:
I'v install the Web interface for Ossec..all work great! Except, when i make an F5 (or when the web interface reload by itself) to the Web interface to see if alerts was added, snort interpret it, like an "attack". I always received this error;
2007 Jun 06 15:16:39 Rule Id: 20101 level: 6
Location: (************) 10.*.*.6->/var/log/messages
IDS event.
Jun 6 15:16:38 ******** snort[11669]: [1:882:5] WEB-CGI calendar access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 10.*.*.2:34282 -> 10.*.*.6:80
How i can stop to log this false positive?
This Snort signature is a very common false positive and my recommendation is to disable it. It trigers on ANY uri with /calendar in it, such as any of these:
On a related note - I have been in process with releasing an updated Snort config which incorporates false positive reduction from a variety of sources including honeynet projects.
The problem with Snort, or any other IDS for that matter, is that there are many false positives and significant tuning is required by each user. But what we can do is take input from a variety of contributors and base on that tune out the most common false positives. In some cases, we modify the Snort signatures itself or modify the threshold rather than disabling the signature.
I'll post info to this list when this project is ready for public release. Anyone who wants to contribute Snort alert data, please contact me offlist.
Tom