It's to catch some of the events that do not have rules, but have potential to be bad. Whenever I get a 1002 alert, I write a rule to catch it so I don't have to see the 1002 again.
On Tue, May 11, 2010 at 4:57 PM, rafael.gomes <rafael.go...@ufba.br> wrote: > Guys, > > What the purpose of that BAD_WORDS? > > In my case I always get false positives for this rule (number 1002). > > IMO we should remove this rule from OSSEC. What you think about? > > -- > Atenciosamente, > > Rafael Brito Gomes > Analista de Segurança > LPIC-1 MCSO > DISUP/CPD/UFBA > Tel : +55 71 3283 6100 >