We have OSSEC running on a couple of webapp servers and we're seeing FPs in the OSSEC logs that seem to be flagging the following section of this sample URI:
+select+fixed+income My guess is that OSSEC sees this as SQL and alerts on it. We need to be able to get rid of these FPs since the word "select" can certainly be valid in certain URIs. I guess the challenge is how to remove this FP without disabling the functionality all together since we would want OSSEC to pickup on a true SQL injection attack. The full URI is: GET /mit/request?SECTION=PRI&PAGE=JobList&jobtype=PROXY&dosearch=1&issuername=evergreen+select+fixed+income+trust&jobnumber=&statuscodes=NW&statuscodes=MP&statuscodes=MR&statuscodes=RP&statuscodes=PV&statuscodes=VC&statuscodes=PR&statuscodes=MA&statuscodes=MD&statuscodes=RC&statuscodes=NH&statuscodes=JM&statuscodes=JA
