[ossec-list] Re: Active Responses

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Andy,

The best way to ignore those is to write a local rule to ignore the
event, instead of
just ignoring them for the active response. Since you know it is a
false positive, you
don't need to be seeing alerts about them.

Something like that would work (just copy to your local_rules.xml):

  <rule id="100101" level="0">
    <if_sid>31101</if_sid>
    <url>url1_to_ignore|url2_to_ignore</url>
    <description>Ignoring false positives...</description>
  </rule>


Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

On 9/27/07, tswmmeejsdad@xxxxxxxxx <tswmmeejsdad@xxxxxxxxx> wrote:
>
> Although it's good to enable active response for just the rules you
> want - is there a way to do the opposite that allows you to add a rule
> that won't fire off active response (like an exception list).
>
> For example I am getting a lot of web customers who have embedded
> javascript code in their HTML files that does not exsit - hence
> triggering Rule: 31151 (level 10) -> 'Mutiple web server 400 error
> codes from same source ip.'. Because I have active response turned on,
> these unknowing customer's IPs are blocked after browsing to a few
> pages within the site because the web server can't find that java
> scripts. I know it's bad coding but is there a way to exclude this
> rule from triggering active response without having to turn active
> response off.
>
> Thanks.
>
> Andy
>
>