[ossec-list] Re: Excessive verborseness of alerts in rules

Fri, 18 Aug 2006 12:55:27 -0700 


Daniel,
Thanks for the info! I didn't realize that with 0 they would be totally ignored. 

I have changed both to 1, and set the log_alert_level to 2.

Thanks,
Charles

On Aug 18, 2006, at 21:44 , Daniel Cid wrote:



Hi Charles,

If you change them to 0 you may break some other rules that depend
on them (since 0 means ignore it). My suggestion is to change them to
1 or 2. However, the best way is to go to /var/ossec/etc/ossec.conf and modify the value of "log_alert_level" to something higher (like 4 or 5). 
By default it is set to 1, which means log everything..
*I agree that these rules by itself do not represent a security threat, 
but correlated with other data may indicate an attack or something
wrong (like an FTP login 3am in a sunday, after multiple failed logins
attempts for that user...).

Hope it helps,

--
Daniel B. Cid
dcid ( at ) ossec.net

On 8/18/06, kef_list <[EMAIL PROTECTED]> wrote:


Hi to all,

I find that ossec alerts logs are a bit too verbose.

For Apache each access to a nonexisting file is logged by the rule


   <rule id="30112" level="5">
     <if_sid>30101</if_sid>
     <match>File does not exist: |</match>
     <match>failed to open stream: No such file or directory|</match>
     <match>Failed opening </match>
<description>Attempt to access an non-existent file.</ description> 
   </rule>

And for proftpd each successfull FTP login is also logged by the rule

   <rule id="11205" level="3">
     <if_sid>11200</if_sid>
     <match>Login successful</match>
     <group>authentication_success</group>
     <description>FTP Authentication success.</description>
   </rule>

I do not think that either case represents a security threat.

I have changed in both cases the "level" to 0 so that they are NOT
logged to the alert log.

My question is: Will this change affect other more important rules
that really detect "bad" things?

Thanks,
Charles



____________________________________________________
Institut Balear de Comunicacions, S.L.
Gremio Tejedores 22, 1
07009 Palma de Mallorca, Spain
Tel:  +34 971.45.90.99  | Mobile: +34 607.87.12.77
Fax: +34 971.43.08.18  | E-mail: [EMAIL PROTECTED]
URL: http://www.ibacom.es/
____________________________________________________





____________________________________________________
Institut Balear de Comunicacions, S.L.
Gremio Tejedores 22, 1
07009 Palma de Mallorca, Spain
Tel:  +34 971.45.90.99  | Mobile: +34 607.87.12.77
Fax: +34 971.43.08.18  | E-mail: [EMAIL PROTECTED]
URL: http://www.ibacom.es/
____________________________________________________

Reply via email to