Open furrnace opened 1 year ago
The filters are applied to the entire log message, not only to the MESSAGE
field
Try adding OpenVAS-VT
to the false_positive_filters.cfg
.
Could you tell me the rule name that triggered this event?
it doesn't give a rule name. LogScan module.
REASON_1:
Filename IOC \login.jsp
SUBSCORE_1:
75
REF_1:
Cisco JBoss Webshell Names https://goo.gl/drkm6k - modified list
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
/login.jsp
How to best exclude false positives that are not fully specified through the Message field?
Example of log messages generated when vulnerability scanners such as OpenVAS are running:
The thor false positives filter is just using the Message field value, and I would assume that this then filters ALL suspicious log entry findings, which would be too much. Is there a way to filter simultaneously on the Message AND on the Entry field? Or what would be a suitable solution?