I have now changed the ID to sth else but getting a new error: 2020/11/21 16:22:19 ossec-testrule: INFO: Reading local decoder file.
2020/11/21 16:22:19 ossec-analysisd: Invalid option 'pcre2' for rule '100009'. 2020/11/21 16:22:19 ossec-testrule(1220): ERROR: Error loading the rules: 'local_rules.xml'. On Saturday, 21 November 2020 at 13:23:36 UTC Andrew S wrote: > after looking at the error log it says: > > 2020/11/21 13:15:49 ossec-analysisd: Duplicate rule ID:1009 > > 2020/11/21 13:15:49 ossec-testrule(1220): ERROR: Error loading the rules: > 'local_rules.xml'. > > do I need to change the rule ID to another random number? > > On Saturday, 21 November 2020 at 13:17:20 UTC Andrew S wrote: > >> Killing ossec-monitord .. >> >> Killing ossec-logcollector .. >> >> Killing ossec-syscheckd .. >> >> Killing ossec-analysisd .. >> >> Killing ossec-maild .. >> >> Killing ossec-execd .. >> >> OSSEC HIDS v2.8 Stopped >> >> Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)... >> >> ossec-analysisd: Configuration error. Exiting. >> >> On Wednesday, 18 November 2020 at 08:39:19 UTC Brian Candler wrote: >> >>> And what does the configuration error message say? >>> >>> On Tuesday, 17 November 2020 at 17:10:45 UTC Andrew S wrote: >>> >>>> Actually I have tried to add the rule you have highlighted: >>>> >>>> <rule id="1009" level="0"> >>>> >>>> <if_sid>1002</if_sid> >>>> >>>> <pcre2>terminated without error|can't verify hostname: >>>> getaddrinfo|</pcre2> >>>> >>>> <pcre2>PPM exceeds tolerance</pcre2> >>>> >>>> <description>Ignoring known false positives on rule 1002..</description> >>>> >>>> </rule> >>>> >>>> to my file: /var/ossec/rules/local_rules.xml >>>> >>>> but I am getting a configuration error when I restart OSSEC. Not sure >>>> why this happens as I am just copying and pasting that rule from your >>>> example. >>>> >>>> many thanks again, >>>> Andrew >>>> >>>> On Monday, 16 November 2020 at 18:00:32 UTC dan (ddpbsd) wrote: >>>> >>>>> No worries. You added some great information. >>>>> >>>>> On Mon, Nov 16, 2020 at 12:48 PM Scott Wozny <saw...@gmail.com> >>>>> wrote: >>>>> > >>>>> > ACK! Sorry! Didn't see you'd already replied, Dan... >>>>> > >>>>> > What he said. :) >>>>> > >>>>> > Scott >>>>> > >>>>> > >>>>> > On Mon, Nov 16, 2020, 10:10 dan (ddp) <ddp...@gmail.com> wrote: >>>>> >> >>>>> >> On Mon, Nov 16, 2020 at 7:27 AM Andrew S <banan...@gmail.com> >>>>> wrote: >>>>> >> > >>>>> >> > Hi Brian, >>>>> >> > >>>>> >> > Thank you for the clarification but I don't understand why >>>>> someone would associate our website with dailymail.co.uk ? >>>>> >> > >>>>> >> >>>>> >> I haven't verified, but Brian mentioned dailymail being in the >>>>> >> referrer field. So there was (possibly) a link somewhere on the >>>>> page >>>>> >> in the log message pointing at your site. >>>>> >> >>>>> >> > GET >>>>> >> > / HTTP/2.0" 200 84 >>>>> >> > " >>>>> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; >>>>> >>>>> >>>>> >> > >>>>> >> > I understand the part of the log: GET / HTTP/2.0" 200 >>>>> >> > >>>>> >> > I don't understand: >>>>> >> > >>>>> >> > 84 >>>>> >> > " >>>>> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; >>>>> >>>>> >>>>> >> > >>>>> >> > Why 84 and why this dailymail URL ? >>>>> >> > >>>>> >> > many thanks >>>>> >> > Andrew >>>>> >> > >>>>> >> > On Monday, 16 November 2020 at 09:02:40 UTC Brian Candler wrote: >>>>> >> >> >>>>> >> >> Rule 1002 is a general catch-all rule which matches generic "bad >>>>> words" like "failed" and "denied", as you can see here: >>>>> >> >> >>>>> >> >> >>>>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21 >>>>> >>>>> >> >> >>>>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35 >>>>> >>>>> >> >> >>>>> >> >> It's a false positive for you, since the word "failed" appears >>>>> in the Referer field of your HTTP logs. You can silence these by writing >>>>> your own more specific rule to catch them, e.g. >>>>> >> >> >>>>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74 >>>>> >>>>> >> >> >>>>> >> >> On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote: >>>>> >> >>> >>>>> >> >>> We keep receiving these notifications from OSSEC. Our site has >>>>> nothing to do with dailymail. Is this worrying or is this a false alert? >>>>> >> >>> >>>>> >> >>> Received From: server->/var/log/nginx/access.log >>>>> >> >>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >>>>> system." >>>>> >> >>> Portion of the log(s): >>>>> >> >>> >>>>> >> >>> 2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 >>>>> +0000] "GET >>>>> >> >>> / HTTP/2.0" 200 84 >>>>> >> >>> " >>>>> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; >>>>> >>>>> "Mozilla/5.0 >>>>> >> >>> (Windows NT 10.0; Win64; x64; Xbox; Xbox One) >>>>> AppleWebKit/537.36 (KHTML, like >>>>> >> >>> Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041" >>>>> >> > >>>>> >> > -- >>>>> >> > >>>>> >> > --- >>>>> >> > You received this message because you are subscribed to the >>>>> Google Groups "ossec-list" group. >>>>> >> > To unsubscribe from this group and stop receiving emails from it, >>>>> send an email to ossec-list+...@googlegroups.com. >>>>> >> > To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/ossec-list/7a59f156-2823-4945-a828-6d9bc7f5c4e4n%40googlegroups.com. >>>>> >>>>> >>>>> >> >>>>> >> -- >>>>> >> >>>>> >> --- >>>>> >> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> >> To unsubscribe from this group and stop receiving emails from it, >>>>> send an email to ossec-list+...@googlegroups.com. >>>>> >> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMo1cPejq_rEgoX-dpgA_%2BOdOc%3Dh8tvPon%2B6GAx%3DLNTuvw%40mail.gmail.com. >>>>> >>>>> >>>>> > >>>>> > -- >>>>> > >>>>> > --- >>>>> > You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> > To unsubscribe from this group and stop receiving emails from it, >>>>> send an email to ossec-list+...@googlegroups.com. >>>>> > To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/ossec-list/CACUKT_r_Jx2mPxXgNbfq7E%2ByAev_%3D5N4qiaa7Z_EKV98sTETDg%40mail.gmail.com. >>>>> >>>>> >>>>> >>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/cae73149-33a8-4218-99aa-4221b8f20de8n%40googlegroups.com.
