Hi to all,
I find that ossec alerts logs are a bit too verbose.
For Apache each access to a nonexisting file is logged by the rule
<rule id="30112" level="5">
<if_sid>30101</if_sid>
<match>File does not exist: |</match>
<match>failed to open stream: No such file or directory|</match>
<match>Failed opening </match>
<description>Attempt to access an non-existent file.</description>
</rule>
And for proftpd each successfull FTP login is also logged by the rule
<rule id="11205" level="3">
<if_sid>11200</if_sid>
<match>Login successful</match>
<group>authentication_success</group>
<description>FTP Authentication success.</description>
</rule>
I do not think that either case represents a security threat.
I have changed in both cases the "level" to 0 so that they are NOT
logged to the alert log.
My question is: Will this change affect other more important rules
that really detect "bad" things?
Thanks,
Charles
____________________________________________________
Institut Balear de Comunicacions, S.L.
Gremio Tejedores 22, 1
07009 Palma de Mallorca, Spain
Tel: +34 971.45.90.99 | Mobile: +34 607.87.12.77
Fax: +34 971.43.08.18 | E-mail: [EMAIL PROTECTED]
URL: http://www.ibacom.es/
____________________________________________________
