[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: New OSSEC User: False Positive

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: New OSSEC User: False Positive
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Wed, 20 Jun 2007 19:46:00 -0300
Cc: scott@xxxxxxxxxxx
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=MFSXQ6zwfd0bXpMfUWV+MFORSO4Y3mcyEAKWHqUeApJ6NNDy/dUq9JLEwMdJHeyD2j5N62JtLI/McDASj3iIyZgnuOtBArV/x2D4ZOXHfcBI2pL4a/L45Gh6/5SMeoAh9pzrMwHqphmR0JCebY9fGt9qcA8QVkX+Hfs3o2gutQI=

Hi Josh,

Great suggestion, but I would recommend to use the "url" tag instead of the
"match" to ignore these patterns.:

<rule id="100101" level="0">
   <if_sid>31106</if_sid>
   <url>^/images/listing_photos</url>
   <description>Events ignored</description>
 </rule>

Just add that to local_rules.xml and you should be good to go.

*btw, I don't think that these rules are very likely to generate false
positives, specially
on Unix systems (where people don't use spaces for file names). It is
matching on the
%20from%20, which is commonly used on SQL injections...


hope it helps.


--
Daniel B. Cid
dcid ( at ) ossec.net


On 6/19/07, Josh Drummond <jdrummon@xxxxxxx> wrote:
>
> Hi,
>
> You could add an ignore rule for that rule id #31106... look at
> http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules for
> details.  I would not ignore that rule completely though, because the
> last thing you want are false negatives, and that is a common
> attack.  Consider ignoring that rule id but only if you <match>
> /images/ in the URL or something like that, its unlikely someone will
> SQL Inject something in an images directory.
>
> HTH,
> ~Josh
>
> At 02:15 PM 6/19/2007, scott@xxxxxxxxxxx wrote:
>
>
> >I just installed OSSEC in local mode on a server this morning that hosts a
> >handful of domains.  I'm getting the following false positive:
> >
> >** Alert 1182271050.356: mail  - web,accesslog,attack,
> >2007 Jun 19 09:37:30 122->/home/domain/logs/access_log
> >Rule: 31106 (level 12) -> 'A web attack returned code 200 (success).'
> >Src IP: 192.168.0.1
> >User: (none)
> >192.168.0.1 - - [19/Jun/2007:09:37:29 -0700] "GET
> >/images/listing_photos/thumb_11_house%20from%20gate.jpg HTTP/1.1" 200 8069
> >
> >The log file entry is:
> >
> >192.168.0.1 - - [17/Jun/2007:15:42:18 -0700] "GET
> >/images/listing_photos/thumb_11_house%20from%20gate.jpg HTTP/1.1" 200 8069
> >
> >It looks like it's matching on rule 31106 in web_rules.xml due to the
> >image file name containing the word "from" surrounded by spaces.  I
> >imagine the likelihood of this happening elsewhere is high.
> >
> >How best should I deal with the issue?
> >
> >Thanks.
>
>

References:
- [ossec-list] New OSSEC User: False Positive
  - From: scott
- [ossec-list] Re: New OSSEC User: False Positive
  - From: Josh Drummond

Prev by Date: [ossec-list] Re: Integrity Checking Not Working <-- BREAKTHROUGH ;-)
Next by Date: [ossec-list] Whitelisting specific syslog message
Previous by thread: [ossec-list] Re: New OSSEC User: False Positive
Next by thread: [ossec-list] OT: AIX knowledge required
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.