Hi OSSECers,
I've recently been working with Splunk dashboarding (using the Splunk for OSSEC app as a starting point). One of the features I've expanded is the 'top severities list', where I've named the severities according to the Rules Classification documentation ( http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/rule-levels.html ) What I've noticed is that the 'Integrity Checksum Changed' signature is coming in as Severity 7 (Bad Word Match), and looking into the rules I can see that reflected, and the only thing I see at sev "11" are the IDS rules. Below are relevant sections in the rules in OSSEC 2.8.1. Is it correct that rule id 510 has level="7"? I'm going to change it 10 11 in my local config, but it'd be good to know the intentions of this if it's not an oversight. rules/ids_rules.xml <rule id="510" level="7"> <if_sid>509</if_sid> <description>Host-based anomaly detection event (rootcheck).</description> <group>rootcheck,</group> <if_fts /> </rule> rules/ids_rules.xml <!-- This rule is to detect bad configured IDSs alerting on - the same thing all the time. We will skip those events - since they became just noise. --> <rule id="20161" level="11" frequency="3" timeframe="3800"> <if_matched_sid>20151</if_matched_sid> <same_source_ip /> <same_id /> <ignore>srcip, id</ignore> <description>Multiple IDS events from same source ip </description> <description>(ignoring now this srcip and id).</description> </rule> <rule id="20162" level="11" frequency="3" timeframe="3800"> <if_matched_sid>20152</if_matched_sid> <same_id /> <ignore>id</ignore> <description>Multiple IDS alerts for same id </description> <description>(ignoring now this id).</description> </rule> Thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
