Ignoring a vulnerability scanner

2 views
Skip to first unread message

Sprissler, Noah

unread,
Nov 24, 2009, 4:05:51 PM11/24/09
to ossec...@googlegroups.com

Hey folks,

I’ve tried a couple of different rules to tune out this vulnerability scanner but I still seem be getting a boat load of alerts from it and I can’t determine why.  There must be something I’m missing.  Any pointers would be much appreciated.  Here are the rules I put in place to filter out the alerts (obviously not the real address):


For alerts where srcip is parsed (this appears to work):

  <rule id="100080" level="0">

    <srcip>1.2.3.4</srcip>

    <description>Ignore any alert from X</description>

  </rule>

For all other alerts:

  <rule id="100130" level="0">

    <match>1.2.3.4</match>

    <description>Ignore any alert from X</description>

  </rule>

Thanks,

Noah


The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.

spriss

unread,
Nov 25, 2009, 12:05:31 PM11/25/09
to ossec-list
Example of alerts still recevied:

OSSEC HIDS Notification.
2009 Nov 25 11:19:40

Received From: phsossim1->/var/log/apache2/error.log
Rule: 30112 fired (level 5) -> "Attempt to access an non-existent
file."
Portion of the log(s):

[Wed Nov 25 11:19:40 2009] [error] [client 1.2.3.4] File does not
exist: /var/www/cgi-bin



--END OF NOTIFICATION



OSSEC HIDS Notification.
2009 Nov 25 11:19:40

Received From: phsossim1->/var/log/apache2/error.log
Rule: 30112 fired (level 5) -> "Attempt to access an non-existent
file."
Portion of the log(s):

[Wed Nov 25 11:19:40 2009] [error] [client 1.2.3.4] File does not
exist: /var/www/cgibin



--END OF NOTIFICATION



OSSEC HIDS Notification.
2009 Nov 25 11:19:40

Received From: phsossim1->/var/log/apache2/error.log
Rule: 30112 fired (level 5) -> "Attempt to access an non-existent
file."
Portion of the log(s):

[Wed Nov 25 11:19:40 2009] [error] [client 1.2.3.4] File does not
exist: /var/www/scripts



--END OF NOTIFICATION



OSSEC HIDS Notification.
2009 Nov 25 11:19:40

Received From: phsossim1->/var/log/apache2/error.log
Rule: 30112 fired (level 5) -> "Attempt to access an non-existent
file."
Portion of the log(s):

[Wed Nov 25 11:19:40 2009] [error] [client 1.2.3.4] File does not
exist: /var/www/cgi-win



--END OF NOTIFICATION
Reply all
Reply to author
Forward
0 new messages