NextronSystems / thor-lite

Fast IOC and YARA Scanner
74 stars 7 forks source link

Q: How to best exclude false positives that are not fully specified through the Message field? #29

Open furrnace opened 1 year ago

furrnace commented 1 year ago

How to best exclude false positives that are not fully specified through the Message field?

Example of log messages generated when vulnerability scanners such as OpenVAS are running:

MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
..."GET /dotcms/html/portal/login.jsp HTTP/1.1" 200 8506 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS-VT 22.7.3)" 

The thor false positives filter is just using the Message field value, and I would assume that this then filters ALL suspicious log entry findings, which would be too much. Is there a way to filter simultaneously on the Message AND on the Entry field? Or what would be a suitable solution?

Neo23x0 commented 1 year ago

The filters are applied to the entire log message, not only to the MESSAGE field

Try adding OpenVAS-VT to the false_positive_filters.cfg.

Neo23x0 commented 1 year ago

Could you tell me the rule name that triggered this event?

furrnace commented 1 year ago

it doesn't give a rule name. LogScan module.

REASON_1:
Filename IOC \login.jsp
SUBSCORE_1:
75
REF_1:
Cisco JBoss Webshell Names https://goo.gl/drkm6k - modified list
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1

    /login.jsp