Hi, You could add an ignore rule for that rule id #31106... look at http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules for details. I would not ignore that rule completely though, because the last thing you want are false negatives, and that is a common attack. Consider ignoring that rule id but only if you <match> /images/ in the URL or something like that, its unlikely someone will SQL Inject something in an images directory.
HTH, ~Josh At 02:15 PM 6/19/2007, [EMAIL PROTECTED] wrote: >I just installed OSSEC in local mode on a server this morning that hosts a >handful of domains. I'm getting the following false positive: > >** Alert 1182271050.356: mail - web,accesslog,attack, >2007 Jun 19 09:37:30 122->/home/domain/logs/access_log >Rule: 31106 (level 12) -> 'A web attack returned code 200 (success).' >Src IP: 192.168.0.1 >User: (none) >192.168.0.1 - - [19/Jun/2007:09:37:29 -0700] "GET >/images/listing_photos/thumb_11_house%20from%20gate.jpg HTTP/1.1" 200 8069 > >The log file entry is: > >192.168.0.1 - - [17/Jun/2007:15:42:18 -0700] "GET >/images/listing_photos/thumb_11_house%20from%20gate.jpg HTTP/1.1" 200 8069 > >It looks like it's matching on rule 31106 in web_rules.xml due to the >image file name containing the word "from" surrounded by spaces. I >imagine the likelihood of this happening elsewhere is high. > >How best should I deal with the issue? > >Thanks.
