[ossec-list] Re: New OSSEC User: False Positive

[Josh Drummond <jdrummon@xxxxxxx>]

Hi,

You could add an ignore rule for that rule id #31106... look at 
http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules for 
details.  I would not ignore that rule completely though, because the 
last thing you want are false negatives, and that is a common 
attack.  Consider ignoring that rule id but only if you <match> 
/images/ in the URL or something like that, its unlikely someone will 
SQL Inject something in an images directory.

HTH,
~Josh

At 02:15 PM 6/19/2007, scott@xxxxxxxxxxx wrote:


>I just installed OSSEC in local mode on a server this morning that hosts a
>handful of domains.  I'm getting the following false positive:
>
>** Alert 1182271050.356: mail  - web,accesslog,attack,
>2007 Jun 19 09:37:30 122->/home/domain/logs/access_log
>Rule: 31106 (level 12) -> 'A web attack returned code 200 (success).'
>Src IP: 192.168.0.1
>User: (none)
>192.168.0.1 - - [19/Jun/2007:09:37:29 -0700] "GET
>/images/listing_photos/thumb_11_house%20from%20gate.jpg HTTP/1.1" 200 8069
>
>The log file entry is:
>
>192.168.0.1 - - [17/Jun/2007:15:42:18 -0700] "GET
>/images/listing_photos/thumb_11_house%20from%20gate.jpg HTTP/1.1" 200 8069
>
>It looks like it's matching on rule 31106 in web_rules.xml due to the
>image file name containing the word "from" surrounded by spaces.  I
>imagine the likelihood of this happening elsewhere is high.
>
>How best should I deal with the issue?
>
>Thanks.