Hi Rafael, I find this rule useful too. If you (and everyone else having too many false positives), can provide the logs that are matching, we can add some of these to our default rules as ignored by default.
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Thu, May 13, 2010 at 10:09 PM, Michael Starks <ossec-l...@michaelstarks.com> wrote: > rafael.gomes wrote: >> Guys, >> >> What the purpose of that BAD_WORDS? >> >> In my case I always get false positives for this rule (number 1002). >> >> IMO we should remove this rule from OSSEC. What you think about? >> > > I have found this rule to be pretty useful. It has alerted me to > non-security production issues, but also security events from logs which > don't have a decoder. I would definitely vote to keep it. > > -- > Michael Starks > [I] Immutable Security > http://www.immutablesecurity.com >