[ossec-list] Alerts triggering spoardically

Fri, 01 Jun 2012 16:50:48 -0700 

Very strange issue - OSSEC will intermittently fail to generate an alarm 
for a specific decoder/rule.  All systems are RHEL, iptables is disabled.

OSSEC HIDS v2.6 - Trend Micro Inc.

/etc/init.conf:
DIRECTORY="/var/ossec"
VERSION="v2.6"
DATE="Thu Nov 10 18:57:58 CST 2011"
TYPE="server"

Here is the decoder:
<decoder name="silvertail">
   <program_name>^mitigator|^reportbuilder</program_name>
</decoder>

<decoder name="silvertail-alert">
   <parent>silvertail</parent>
   <prematch>[SILVERTAIL_ALERT] </prematch>
   <regex 
offset="after_prematch">^ip=(\d+.\d+.\d+.\d+)\|\|action=(\.+)\|\|rule=(\w+)</regex>
   <order>srcip,extra_data,action</order>
</decoder>

Here is the rule:
  <rule id="700100" level="5">
    <decoded_as>silvertail</decoded_as>
    <match>[alert]</match>
    <description>Silvertail Alert</description>
  </rule>


Log test (scrubbed) - note that there was no alert for this log, but it 
says that one should be generated:

ossec]# /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf
2012/06/01 18:09:45 ossec-testrule: INFO: Reading local decoder file.
2012/06/01 18:09:46 ossec-testrule: INFO: Started (pid: 17241).
ossec-testrule: Type one log per line.

Jun  1 17:55:09 <host> mitigator[1709]: [alert] <host> <host> [listener 
1.11] [SILVERTAIL_ALERT] 
ip=<ip>||action=flag||rule=Security_Alert_DDoS_Targeted_Feature||duration=86400||request=<site>

**Phase 1: Completed pre-decoding.
       full event: 'Jun  1 17:55:09 <host> mitigator[1709]: [alert] <host> 
<host> [listener 1.11] [SILVERTAIL_ALERT] 
ip=<ip>||action=flag||rule=Security_Alert_DDoS_Targeted_Feature||duration=86400||request=<site>'
       hostname: '<host>'
       program_name: 'mitigator'
       log: '[alert] <host> <host> [listener 1.11] [SILVERTAIL_ALERT] 
ip=<ip>||action=flag||rule=Security_Alert_DDoS_Targeted_Feature||duration=86400||request=<host>'

**Phase 2: Completed decoding.
       decoder: 'silvertail'
       srcip: '<host>'
       extra_data: 'flag'
       action: 'Security_Alert_DDoS_Targeted_Feature'

**Phase 3: Completed filtering (rules).
       Rule id: '700100'
       Level: '5'
       Description: 'Silvertail Alert'
**Alert to be generated.

Is it possible that the server becomes overloaded with alerts and misses a 
few?  I cannot figure out why some alerts fire, and others don't, at 
random.  Is there any other testing I can do to nail down the cause of this 
issue?

Reply via email to