I keep getting alerts generated by Rule 1002 from my Snort logs:
Section from /var/ossec/logs/alerts/alerts.log (anonymised):
** Alert 1159947985.812: mail
2006 Oct 04 07:46:25 localhost->/var/log/snort/alert
Rule: 1002 (level 7) -> 'Unknown problem somewhere in the system.'
Src IP: (none)
User: (none)
[Classification: Misc Attack] [Priority: 2]
Section from snort log (anonymised):
[**] [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [**]
[Classification: Misc Attack] [Priority: 2]
10/04-07:46:24.121366 127.0.0.1:1062 -> 127.0.0.2:1434
UDP TTL:116 TOS:0x0 ID:4340 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref => http://cgi.nessus.org/plugins/dump.php3?id=11214][Xref
=> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref => http://www.securityfocus.com/bid/5311][Xref
=> http://www.securityfocus.com/bid/5310]
The $BAD_WORDS variable in syslog_rules.xml includes 'attack' which is matched by 'Attack' in the snort alert when checked with syslog rule 1002.
Is it possible to exclude the snort logs from rule 1002?
- [ossec-list] False Positives generated by Rule 1002 and Snort Harry Wearne
