[ossec-list] why is 1002 firing on this event

Fri, 17 Oct 2014 08:31:10 -0700 

I can't figure out why this log line triggers rule 1002. Can anyone see it? 

background - I recently updated server to 2.8.1. Today I added this web 
server's iis log file to its agent's <localfiles> and now that it is 
sending the entries to the server,I am getting this alert from rule 1002. 
Have not overridden stock 1002 or $BAD_WORDS definition from 
syslog_rules.xml.

Here is ossec-logtest output: (some manual redaction performed)

**Phase 1: Completed pre-decoding.
       full event: '2014-10-17 15:06:09 192.168.2X.228 GET 
/personifyebusiness/XXXX/PersonifyScriptResource.axd 
s=Personify.WebControls.Base-*-k*-_Personify.WebControls.Base.JS.*-_krequireJQuery.js_-_kjquery.gritter.min.js_-_kjson2.js_-_kjquery.ba-bbq.min.js_-_kmanager.js_-_kImageLoadErrorHandler.js-*-Personify.WebControls.ShoppingCart-*-k*-_Personify.WebControls.ShoppingCart.JS.*-_kShoppingCartItemEvents.js_-_kUmbrellaProductEditorEvents.js_-_kRegistrantBadgeEdit.js&t=text/javascript&v=635470873431210000
 
443 [email protected] 172.X.0.X 
Mozilla/5.0+(Windows+NT+6.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/37.0.2062.124+Safari/537.36
 
200 0 0 15'
       hostname: 'tmars1'
       program_name: '(null)'
       log: '2014-10-17 15:06:09 192.168.2X.228 GET 
/personifyebusiness/XXXX/PersonifyScriptResource.axd 
s=Personify.WebControls.Base-*-k*-_Personify.WebControls.Base.JS.*-_krequireJQuery.js_-_kjquery.gritter.min.js_-_kjson2.js_-_kjquery.ba-bbq.min.js_-_kmanager.js_-_kImageLoadErrorHandler.js-*-Personify.WebControls.ShoppingCart-*-k*-_Personify.WebControls.ShoppingCart.JS.*-_kShoppingCartItemEvents.js_-_kUmbrellaProductEditorEvents.js_-_kRegistrantBadgeEdit.js&t=text/javascript&v=635470873431210000
 
443 [email protected] 172.X.0.X 
Mozilla/5.0+(Windows+NT+6.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/37.0.2062.124+Safari/537.36
 
200 0 0 15'

**Phase 2: Completed decoding.
       decoder: 'windows-date-format'

**Phase 3: Completed filtering (rules).
       Rule id: '1002'
       Level: '2'
       Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.


thanks,
Rick McClinton

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to