A tip of cooking OSSEC rules

How to config OSSEC rules to ignore something?
I have the logs like this

Mar 30 17:50:20 192.168.x.201 192.168.xx.104 - - [30/Mar/2009:17:50:43 +0800] "OPTIONS /svn HTTP/1.1" 401 401
Mar 30 17:50:21 192.168.x.201 192.168.xx.104 - root [30/Mar/2009:17:50:44 +0800] "OPTIONS /svn HTTP/1.1" 401 401
Mar 30 17:50:22 192.168.x.201 192.168.xx.104 - svn [30/Mar/2009:17:50:45 +0800] "OPTIONS /svn HTTP/1.1" 401 401
Mar 30 17:50:24 192.168.x.201 192.168.xx.104 - user [30/Mar/2009:17:50:46 +0800] "OPTIONS /svn HTTP/1.1" 401 401

I just want alert,when somebody make 4xx errors in a short time. but I want to ignore the "-",in the user field.

first, I add the user field in etc/decoder.xml

web-log ^\d+.\d+.\d+.\d+ ^(\d+.\d+.\d+.\d+) \S+ (\S+) [\S+ \S\d+] "\w+ (\S+) HTTP\S+ (\d+) srcip, user, url, id the add new rules 31101 ^- 31101 Multiple web server 4XX error code. from same source ip. alert_by_email attack,


You can ignore the user field is "-",by let the level=0,in front rule 31166.

the frag3 preprocess in snort

why need the frag3 preprocessor?
frag3 preprocessor is a target-based analysis.
The term “target-based” is to identify an intelligent IDS that is informed about hosts residing on the network and is capable of analyzing traffic sent to those hosts as the host itself analyzes the traffic.
It improve the accuracy of the IDS.

for example:


How to use frag3 preprocessor in snort.conf?


like:
preprocessor frag3_engine: policy first, bind_to 10.4.10.0/24

Now any overlapping fragments that Snort sees destined for subnet 10.4.1.x are reassembled using the “first”
fragmentation policy, so that Snort reassembles fragments destined to those hosts in precisely the same way as the
Windows hosts themselves.

snort rule for MS08-067

alert tcp any any -> any 445 (msg:"MS08067 RPC exploit"; content:"|2e 00 5c 00 5c|";offset:140; content:"|00 5c 00 2e 00 2e 00 5c 00 2e 00 2e 00 5c 00|"; within:20;metadata:service RPC; classtype:bad-unknown; sid:9000015; rev:1;)




it works!

what's the manner of ossimframework.OssimDB : Error executing query (INSERT INTO event_stats....

ossim version 1.0.6,has a bug: it didn't create the snort.event_stats table,cause the events->event stats display error.

this problem described in https://www.ossim.net/forum/index.php?t=msg&goto=1125&S=fa53755c1ecfa7a74cb39dc4c245919e&srch=%22Event+Stats%22#msg_1125

you can resolve this through:
mysql -uroot -p snort < snort.event_stats.sql

apache的index设置

DirectoryIndex index.html index.php

index.html和index.php直接要使用 '空格'而不是 ，