And what does the configuration error message say? On Tuesday, 17 November 2020 at 17:10:45 UTC Andrew S wrote:
> Actually I have tried to add the rule you have highlighted: > > <rule id="1009" level="0"> > > <if_sid>1002</if_sid> > > <pcre2>terminated without error|can't verify hostname: getaddrinfo|</pcre2> > > <pcre2>PPM exceeds tolerance</pcre2> > > <description>Ignoring known false positives on rule 1002..</description> > > </rule> > > to my file: /var/ossec/rules/local_rules.xml > > but I am getting a configuration error when I restart OSSEC. Not sure why > this happens as I am just copying and pasting that rule from your example. > > many thanks again, > Andrew > > On Monday, 16 November 2020 at 18:00:32 UTC dan (ddpbsd) wrote: > >> No worries. You added some great information. >> >> On Mon, Nov 16, 2020 at 12:48 PM Scott Wozny <saw...@gmail.com> wrote: >> > >> > ACK! Sorry! Didn't see you'd already replied, Dan... >> > >> > What he said. :) >> > >> > Scott >> > >> > >> > On Mon, Nov 16, 2020, 10:10 dan (ddp) <ddp...@gmail.com> wrote: >> >> >> >> On Mon, Nov 16, 2020 at 7:27 AM Andrew S <banan...@gmail.com> wrote: >> >> > >> >> > Hi Brian, >> >> > >> >> > Thank you for the clarification but I don't understand why someone >> would associate our website with dailymail.co.uk ? >> >> > >> >> >> >> I haven't verified, but Brian mentioned dailymail being in the >> >> referrer field. So there was (possibly) a link somewhere on the page >> >> in the log message pointing at your site. >> >> >> >> > GET >> >> > / HTTP/2.0" 200 84 >> >> > " >> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; >> >> >> >> > >> >> > I understand the part of the log: GET / HTTP/2.0" 200 >> >> > >> >> > I don't understand: >> >> > >> >> > 84 >> >> > " >> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; >> >> >> >> > >> >> > Why 84 and why this dailymail URL ? >> >> > >> >> > many thanks >> >> > Andrew >> >> > >> >> > On Monday, 16 November 2020 at 09:02:40 UTC Brian Candler wrote: >> >> >> >> >> >> Rule 1002 is a general catch-all rule which matches generic "bad >> words" like "failed" and "denied", as you can see here: >> >> >> >> >> >> >> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21 >> >> >> >> >> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35 >> >> >> >> >> >> >> It's a false positive for you, since the word "failed" appears in >> the Referer field of your HTTP logs. You can silence these by writing your >> own more specific rule to catch them, e.g. >> >> >> >> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74 >> >> >> >> >> >> >> On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote: >> >> >>> >> >> >>> We keep receiving these notifications from OSSEC. Our site has >> nothing to do with dailymail. Is this worrying or is this a false alert? >> >> >>> >> >> >>> Received From: server->/var/log/nginx/access.log >> >> >>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >> system." >> >> >>> Portion of the log(s): >> >> >>> >> >> >>> 2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 >> +0000] "GET >> >> >>> / HTTP/2.0" 200 84 >> >> >>> " >> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; >> >> "Mozilla/5.0 >> >> >>> (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 >> (KHTML, like >> >> >>> Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041" >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send an email to ossec-list+...@googlegroups.com. >> >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/7a59f156-2823-4945-a828-6d9bc7f5c4e4n%40googlegroups.com. >> >> >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> an email to ossec-list+...@googlegroups.com. >> >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/CAMyQvMo1cPejq_rEgoX-dpgA_%2BOdOc%3Dh8tvPon%2B6GAx%3DLNTuvw%40mail.gmail.com. >> >> >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to ossec-list+...@googlegroups.com. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/CACUKT_r_Jx2mPxXgNbfq7E%2ByAev_%3D5N4qiaa7Z_EKV98sTETDg%40mail.gmail.com. >> >> >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/3079c43d-8e4e-418a-8060-0fad25a6c99cn%40googlegroups.com.
