I can't figure out why this log line triggers rule 1002. Can anyone see it?
background - I recently updated server to 2.8.1. Today I added this web
server's iis log file to its agent's <localfiles> and now that it is
sending the entries to the server,I am getting this alert from rule 1002.
Have not overridden stock 1002 or $BAD_WORDS definition from
syslog_rules.xml.
Here is ossec-logtest output: (some manual redaction performed)
**Phase 1: Completed pre-decoding.
full event: '2014-10-17 15:06:09 192.168.2X.228 GET
/personifyebusiness/XXXX/PersonifyScriptResource.axd
s=Personify.WebControls.Base-*-k*-_Personify.WebControls.Base.JS.*-_krequireJQuery.js_-_kjquery.gritter.min.js_-_kjson2.js_-_kjquery.ba-bbq.min.js_-_kmanager.js_-_kImageLoadErrorHandler.js-*-Personify.WebControls.ShoppingCart-*-k*-_Personify.WebControls.ShoppingCart.JS.*-_kShoppingCartItemEvents.js_-_kUmbrellaProductEditorEvents.js_-_kRegistrantBadgeEdit.js&t=text/javascript&v=635470873431210000
443 [email protected] 172.X.0.X
Mozilla/5.0+(Windows+NT+6.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/37.0.2062.124+Safari/537.36
200 0 0 15'
hostname: 'tmars1'
program_name: '(null)'
log: '2014-10-17 15:06:09 192.168.2X.228 GET
/personifyebusiness/XXXX/PersonifyScriptResource.axd
s=Personify.WebControls.Base-*-k*-_Personify.WebControls.Base.JS.*-_krequireJQuery.js_-_kjquery.gritter.min.js_-_kjson2.js_-_kjquery.ba-bbq.min.js_-_kmanager.js_-_kImageLoadErrorHandler.js-*-Personify.WebControls.ShoppingCart-*-k*-_Personify.WebControls.ShoppingCart.JS.*-_kShoppingCartItemEvents.js_-_kUmbrellaProductEditorEvents.js_-_kRegistrantBadgeEdit.js&t=text/javascript&v=635470873431210000
443 [email protected] 172.X.0.X
Mozilla/5.0+(Windows+NT+6.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/37.0.2062.124+Safari/537.36
200 0 0 15'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
thanks,
Rick McClinton
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.