I haven't made any major changes to my system in quite some time. I still get a bunch of these alerts.
Thanks for your assistance ____________________________________________ Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * [email protected] “Accomplishing the impossible means only that your boss will add it to your regular duties” Doug Larson This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. |------------> | From: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Wim Remes <[email protected]> | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | To: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |[email protected] | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Date: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |02/26/2010 03:27 PM | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Subject: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Re: [ossec-list] How do I configure syscheck to ignore these events? | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Sent by: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |[email protected] | >--------------------------------------------------------------------------------------------------------------------------------------------------| Michael, you will probably get this type of events only when you start rolling out OSSEC as more and more agents are starting to report or you are adding logfiles to monitor. After that, when a baseline has been established, this error will disappear or appear only occassionally. If it occurs, it might indicate that a certain server is or has been under attack and you might want to look into that. If you, after all, want to disable this, I'd suggest adding an additional to local_rules.xml : <rule id="100011" level="0"> <if_sid>11</if_sid> <description>suppress alerts from rule 11.</description> </rule> I'd strongly advise you not to :-) Cheers, Wim On 26 Feb 2010, at 19:07, Michael Barrett wrote: > ** Alert 1267180758.489235: mail - stats, > 2010 Feb 26 04:39:18 (w3ts28) 144.122.232.58->syscheck-registry > Rule: 11 (level 8) -> 'Excessive number of events (above normal).' > Src IP: (none) > User: (none) > The average number of logs between 4:00 and 5:00 is 1078. We reached 1403. > ____________________________________________ > Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty > Insurance Corporation > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > 1.888.601.4440 | * [email protected] > > > “Accomplishing the impossible means only that your boss will add it to your > regular duties” Doug Larson > > This message is intended for use only by the person(s) addressed above and > may contain privileged and confidential information. Disclosure or use of > this message by any other person is strictly prohibited. If this message is > received in error, please notify the sender immediately and delete this > message.
