Hi,
My department is testing a new installation of OSSEC using a MySQL
database, where we use automated MySQL queries to extract certain data
for our network. We ran across "Rule 11" ("The average number of logs
between 20:00 and 21:00 is X. We reached Y") while testing, and
realized that our query, which relies on the rule ID number to
properly extract and process the data, won't catch alerts related to
Rule 11 or any similar system "rules", as they aren't listed in the
rules XML files and don't have corresponding rule ID numbers. We've
implemented a workaround to catch Rule 11, but we were wondering if
there were any other system rules (i.e. things OSSEC will give an
alert about but which don't have a rule ID number) that we need to
look for.
Thanks very much in advance!
-Alisha
