[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] New OSSEC User: False Positive

To: ossec-list@xxxxxxxxx
Subject: [ossec-list] New OSSEC User: False Positive
From: scott@xxxxxxxxxxx
Date: Tue, 19 Jun 2007 14:15:14 -0700 (MST)
Content-transfer-encoding: 8bit
Importance: Normal


I just installed OSSEC in local mode on a server this morning that hosts a
handful of domains.  I'm getting the following false positive:

** Alert 1182271050.356: mail  - web,accesslog,attack,
2007 Jun 19 09:37:30 122->/home/domain/logs/access_log
Rule: 31106 (level 12) -> 'A web attack returned code 200 (success).'
Src IP: 192.168.0.1
User: (none)
192.168.0.1 - - [19/Jun/2007:09:37:29 -0700] "GET
/images/listing_photos/thumb_11_house%20from%20gate.jpg HTTP/1.1" 200 8069

The log file entry is:

192.168.0.1 - - [17/Jun/2007:15:42:18 -0700] "GET
/images/listing_photos/thumb_11_house%20from%20gate.jpg HTTP/1.1" 200 8069

It looks like it's matching on rule 31106 in web_rules.xml due to the
image file name containing the word "from" surrounded by spaces.  I
imagine the likelihood of this happening elsewhere is high.

How best should I deal with the issue?

Thanks.

Follow-Ups:
- [ossec-list] Re: New OSSEC User: False Positive
  - From: Josh Drummond

Prev by Date: [ossec-list] Re: Integrity Checking Not Working <-- BREAKTHROUGH ;-)
Next by Date: [ossec-list] Re: Ossec on windows server and brute force
Previous by thread: [ossec-list] Re: average number of logs alerts
Next by thread: [ossec-list] Re: New OSSEC User: False Positive
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.