[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: Question about Snort False positive
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: Question about Snort False positive
- From: Isaac Straley <straley@xxxxxxx>
- Date: Wed, 06 Jun 2007 13:35:54 -0700
- Content-transfer-encoding: quoted-printable
The best way would be to tune the rule in snort. However, if for some
reason that is not an option, you can add a rule to ignore in the
local_rules.xml file:
http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
--
Isaac Straley
Manager, IT Security
Network and Academic Computing Services
University of California, Irvine
Office :: (949) 824-1471
Email :: straley@xxxxxxx
FRANCIS PROVENCHER wrote:
> Hi all, im new in the Ossec World.
>
> My Ossec installation watch for NIDS (Snort) log alert's in the /var/log/message/.
>
> I'v install the Web interface for Ossec..all work great! Except, when i make an F5 (or when the web interface reload by itself) to the Web interface to see if alerts was added, snort interpret it, like an "attack". I always received this error;
>
> 2007 Jun 06 15:16:39 Rule Id: 20101 level: 6
> Location: (************) 10.*.*.6->/var/log/messages
> IDS event.
>
> Jun 6 15:16:38 ******** snort[11669]: [1:882:5] WEB-CGI calendar access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 10.*.*.2:34282 -> 10.*.*.6:80
>
> How i can stop to log this false positive?
>
> Sorry if the question have been ask before, i'v google some time but found nothing about it.
>
> Thanks all
>
>
>
> Francis Provencher
> Ministère de la Sécurité publique du Québec
> Direction des technologies de l'information
> Division de la sécurité informatique
> Tél: 1 418 646-3258
> Courriel: Francis.provencher@xxxxxxxxxxxxxx
>
> CEH - Certified Ethical Hackers
> SSCP - System Security Certified Practitionner
> Sec+ - Security +
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.