Michael,
you will probably get this type of events only when you start rolling out OSSEC
as more and more agents are starting to report or
you are adding logfiles to monitor. After that, when a baseline has been
established, this error will disappear or appear only
occassionally. If it occurs, it might indicate that a certain server is or has
been under attack and you might want to look into that.
If you, after all, want to disable this, I'd suggest adding an additional to
local_rules.xml :
<rule id="100011" level="0">
<if_sid>11</if_sid>
<description>suppress alerts from rule 11.</description>
</rule>
I'd strongly advise you not to :-)
Cheers,
Wim
On 26 Feb 2010, at 19:07, Michael Barrett wrote:
> ** Alert 1267180758.489235: mail - stats,
> 2010 Feb 26 04:39:18 (w3ts28) 144.122.232.58->syscheck-registry
> Rule: 11 (level 8) -> 'Excessive number of events (above normal).'
> Src IP: (none)
> User: (none)
> The average number of logs between 4:00 and 5:00 is 1078. We reached 1403.
> ____________________________________________
> Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty
> Insurance Corporation
> 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7
> 1.888.601.4440 | * [email protected]
>
>
> “Accomplishing the impossible means only that your boss will add it to your
> regular duties” Doug Larson
>
> This message is intended for use only by the person(s) addressed above and
> may contain privileged and confidential information. Disclosure or use of
> this message by any other person is strictly prohibited. If this message is
> received in error, please notify the sender immediately and delete this
> message.
