wazuh-ruleset
wazuh-ruleset copied to clipboard
wazuh
False positive from RequesTracker logs
We have an Apache2 HTTP server that runs an RT instance. Logs were monitored by Wazuh and there are a plenty of false alerts caused by queries on RT system.
Here's an example:
"GET /Search/Results.html?Format=%27%3Ca%20href%3D%22__WebPath__%2FTicket%2FDisplay.html%3Fid%3D__id__%22%3E__id__%3C%2Fa%3E%2FTITLE%3A%23%27%2C%27%3Ca%20href%3D%22__WebPath__%2FTicket%2FDisplay.html%3Fid%3D__id__%22%3E__Subject__%3C%2Fa%3E%2FTITLE%3ASubject%27%2CQueueName%2C%20ExtendedStatus%2C%20CreatedRelative%2C%20%27%3Ca%20href%3D%22__WebPath__%2FTicket%2FDisplay.html%3FAction%3DTake%26amp%3Bid%3D__id__%22%3EPrendi%20in%20carico%3C%2Fa%3E%2FTITLE%3ANBSP%27&Order=ASC&OrderBy=Queue&Page=1&Query=%20Owner%20%3D%20%27Nobody%27%20AND%20Status%20%3D%20%27__Active__%27&Rows=50 HTTP/1.1"
rule.id | 31164 | rule.nist_800_53 | SA.11, SI.4 | rule.gdpr | IV_35.7.d | decoder.parent | web-accesslog | decoder.name | web-accesslog
Hope this can help have better rules.
Hello @michelep
First of all, thank you for the feedback. We will analyze this case. Meanwhile, I am going to explain to you the reason for the generation of these alerts and possible solutions to silent them.
The alerts are generated from rule 31164: https://github.com/wazuh/wazuh-ruleset/blob/b26f7f5b75aab78ff54fc797e745c8bdb6c23017/rules/0245-web_rules.xml#L235-L244
In this case, this part=%27| in <url> matches with some part of the log and alerts are generated.
Maybe you want to silent these alerts. If the IP is known and trusted, you can create this custom rule and add it to /var/ossec/etc/rules/local_rules.xml:
<rule id="100010" level="0">
<if_sid>31164</if_sid>
<srcip>10.11.12.13</srcip>
<description>False positive SQL injection attempt.</description>
</rule>
Or you can do the same but with some part of the log:
<rule id="100011" level="0">
<if_sid>31164</if_sid>
<url>Some part of the log</url>
<description>False positive SQL injection attempt.</description>
</rule>
Regards, Daniel
