I just installed OSSEC in local mode on a server this morning that hosts a handful of domains. I'm getting the following false positive:
** Alert 1182271050.356: mail - web,accesslog,attack, 2007 Jun 19 09:37:30 122->/home/domain/logs/access_log Rule: 31106 (level 12) -> 'A web attack returned code 200 (success).' Src IP: 192.168.0.1 User: (none) 192.168.0.1 - - [19/Jun/2007:09:37:29 -0700] "GET /images/listing_photos/thumb_11_house%20from%20gate.jpg HTTP/1.1" 200 8069 The log file entry is: 192.168.0.1 - - [17/Jun/2007:15:42:18 -0700] "GET /images/listing_photos/thumb_11_house%20from%20gate.jpg HTTP/1.1" 200 8069 It looks like it's matching on rule 31106 in web_rules.xml due to the image file name containing the word "from" surrounded by spaces. I imagine the likelihood of this happening elsewhere is high. How best should I deal with the issue? Thanks.
