after looking at the error log it says: 2020/11/21 13:15:49 ossec-analysisd: Duplicate rule ID:1009
2020/11/21 13:15:49 ossec-testrule(1220): ERROR: Error loading the rules: 'local_rules.xml'. do I need to change the rule ID to another random number? On Saturday, 21 November 2020 at 13:17:20 UTC Andrew S wrote: > Killing ossec-monitord .. > > Killing ossec-logcollector .. > > Killing ossec-syscheckd .. > > Killing ossec-analysisd .. > > Killing ossec-maild .. > > Killing ossec-execd .. > > OSSEC HIDS v2.8 Stopped > > Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)... > > ossec-analysisd: Configuration error. Exiting. > > On Wednesday, 18 November 2020 at 08:39:19 UTC Brian Candler wrote: > >> And what does the configuration error message say? >> >> On Tuesday, 17 November 2020 at 17:10:45 UTC Andrew S wrote: >> >>> Actually I have tried to add the rule you have highlighted: >>> >>> <rule id="1009" level="0"> >>> >>> <if_sid>1002</if_sid> >>> >>> <pcre2>terminated without error|can't verify hostname: >>> getaddrinfo|</pcre2> >>> >>> <pcre2>PPM exceeds tolerance</pcre2> >>> >>> <description>Ignoring known false positives on rule 1002..</description> >>> >>> </rule> >>> >>> to my file: /var/ossec/rules/local_rules.xml >>> >>> but I am getting a configuration error when I restart OSSEC. Not sure >>> why this happens as I am just copying and pasting that rule from your >>> example. >>> >>> many thanks again, >>> Andrew >>> >>> On Monday, 16 November 2020 at 18:00:32 UTC dan (ddpbsd) wrote: >>> >>>> No worries. You added some great information. >>>> >>>> On Mon, Nov 16, 2020 at 12:48 PM Scott Wozny <saw...@gmail.com> wrote: >>>> > >>>> > ACK! Sorry! Didn't see you'd already replied, Dan... >>>> > >>>> > What he said. :) >>>> > >>>> > Scott >>>> > >>>> > >>>> > On Mon, Nov 16, 2020, 10:10 dan (ddp) <ddp...@gmail.com> wrote: >>>> >> >>>> >> On Mon, Nov 16, 2020 at 7:27 AM Andrew S <banan...@gmail.com> >>>> wrote: >>>> >> > >>>> >> > Hi Brian, >>>> >> > >>>> >> > Thank you for the clarification but I don't understand why someone >>>> would associate our website with dailymail.co.uk ? >>>> >> > >>>> >> >>>> >> I haven't verified, but Brian mentioned dailymail being in the >>>> >> referrer field. So there was (possibly) a link somewhere on the page >>>> >> in the log message pointing at your site. >>>> >> >>>> >> > GET >>>> >> > / HTTP/2.0" 200 84 >>>> >> > " >>>> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; >>>> >>>> >>>> >> > >>>> >> > I understand the part of the log: GET / HTTP/2.0" 200 >>>> >> > >>>> >> > I don't understand: >>>> >> > >>>> >> > 84 >>>> >> > " >>>> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; >>>> >>>> >>>> >> > >>>> >> > Why 84 and why this dailymail URL ? >>>> >> > >>>> >> > many thanks >>>> >> > Andrew >>>> >> > >>>> >> > On Monday, 16 November 2020 at 09:02:40 UTC Brian Candler wrote: >>>> >> >> >>>> >> >> Rule 1002 is a general catch-all rule which matches generic "bad >>>> words" like "failed" and "denied", as you can see here: >>>> >> >> >>>> >> >> >>>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21 >>>> >>>> >> >> >>>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35 >>>> >>>> >> >> >>>> >> >> It's a false positive for you, since the word "failed" appears in >>>> the Referer field of your HTTP logs. You can silence these by writing your >>>> own more specific rule to catch them, e.g. >>>> >> >> >>>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74 >>>> >>>> >> >> >>>> >> >> On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote: >>>> >> >>> >>>> >> >>> We keep receiving these notifications from OSSEC. Our site has >>>> nothing to do with dailymail. Is this worrying or is this a false alert? >>>> >> >>> >>>> >> >>> Received From: server->/var/log/nginx/access.log >>>> >> >>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >>>> system." >>>> >> >>> Portion of the log(s): >>>> >> >>> >>>> >> >>> 2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 >>>> +0000] "GET >>>> >> >>> / HTTP/2.0" 200 84 >>>> >> >>> " >>>> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; >>>> >>>> "Mozilla/5.0 >>>> >> >>> (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 >>>> (KHTML, like >>>> >> >>> Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041" >>>> >> > >>>> >> > -- >>>> >> > >>>> >> > --- >>>> >> > You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> >> > To unsubscribe from this group and stop receiving emails from it, >>>> send an email to ossec-list+...@googlegroups.com. >>>> >> > To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ossec-list/7a59f156-2823-4945-a828-6d9bc7f5c4e4n%40googlegroups.com. >>>> >>>> >>>> >> >>>> >> -- >>>> >> >>>> >> --- >>>> >> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> >> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to ossec-list+...@googlegroups.com. >>>> >> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMo1cPejq_rEgoX-dpgA_%2BOdOc%3Dh8tvPon%2B6GAx%3DLNTuvw%40mail.gmail.com. >>>> >>>> >>>> > >>>> > -- >>>> > >>>> > --- >>>> > You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> > To unsubscribe from this group and stop receiving emails from it, >>>> send an email to ossec-list+...@googlegroups.com. >>>> > To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ossec-list/CACUKT_r_Jx2mPxXgNbfq7E%2ByAev_%3D5N4qiaa7Z_EKV98sTETDg%40mail.gmail.com. >>>> >>>> >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/7d2e5210-7ae1-4a00-8003-f96d5c45f740n%40googlegroups.com.
