Hi all,
I have included a squid proxy server on our monitoring logs via OSSEC. But, I have
receiving a lot of alerts in 30 minutes (75 more ore less). All alerts are like this:
OSSEC HIDS Notification.
2011 Feb 24 21:00:45
Received From: (rhelclunode02)
172.25.50.15->/var/log/squid/anon/proxy-anon-access.log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
1298577645.051 3 work01.mydomain.com TCP_DENIED/403 4005
GEThttp://feedads.g.doubleclick.net/~a/3tvrTRqbOyfw7K11Fel0SLcLBMM/0/di -
NONE/- text/html
I have configured a policy under squid server to block adservers, certain sites, etc
... This TCP_DENIED is correct, because .doubleclick.net domain is in the blacklist.
But why rule 1002 is fired?? I see the rule and contains BAD_WORDS variable that
includes "denied" word. Is that the problem??
Maybe I have defined bad my logfiles under agent.conf??
<localfile>
<log_format>squid</log_format>
<location>/var/log/squid/anon/*.log</location>
</localfile>
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
