On Jun 17, 2015 7:26 PM, "Daniel X" <[email protected]> wrote: > > Thanks for the reply Dan, > > I understand that line in the default rules. What I don't understand is how Sev 7 is (according to the doc I linked to above): > > _07 - “Bad word” matching. They include words like “bad”, “error”, etc. These events are most of the time unclassified and may have some security relevance.'_ > > yet Sev 11 is described as (and thus seems more fitting to me): > > _11 - Integrity checking warning - They include messages regarding the modification of binaries or the presence of rootkits (by rootcheck)._ > > I'm thinkng this doc may not be entirely correct in it's descriptions so will probably just ignore the descriptions. >
It's a generic document written probably 10+ years ago. I thought it might be interesting in a general or historical sense, so I made sure to include it. I feel like the severity of the file integrity alerts was lessened or not raised to that level because the alerts aren't that interesting. > Daniel > > On 17 June 2015 at 23:24, dan (ddp) <[email protected]> wrote: >> >> On Wed, Jun 10, 2015 at 2:15 AM, Daniel X <[email protected]> wrote: >> > Hi OSSECers, >> > >> > >> > I've recently been working with Splunk dashboarding (using the Splunk for >> > OSSEC app as a starting point). >> > >> > One of the features I've expanded is the 'top severities list', where I've >> > named the severities according to the Rules Classification documentation >> > ( http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/rule-levels.html ) >> > >> > What I've noticed is that the 'Integrity Checksum Changed' signature is >> > coming in as Severity 7 (Bad Word Match), and looking into the rules I can >> > see that reflected, and the only thing I see at sev "11" are the IDS rules. >> > >> > Below are relevant sections in the rules in OSSEC 2.8.1. Is it correct that >> > rule id 510 has level="7"? I'm going to change it 10 11 in my local config, >> > but it'd be good to know the intentions of this if it's not an oversight. >> > >> >> Yes, level 7 appears to be correct: >> https://github.com/ossec/ossec-hids/blob/master/etc/rules/ossec_rules.xml#L61 >> >> > rules/ids_rules.xml >> > <rule id="510" level="7"> >> > <if_sid>509</if_sid> >> > <description>Host-based anomaly detection event >> > (rootcheck).</description> >> > <group>rootcheck,</group> >> > <if_fts /> >> > </rule> >> > >> > >> > rules/ids_rules.xml >> > <!-- This rule is to detect bad configured IDSs alerting on >> > - the same thing all the time. We will skip those events >> > - since they became just noise. >> > --> >> > <rule id="20161" level="11" frequency="3" timeframe="3800"> >> > <if_matched_sid>20151</if_matched_sid> >> > <same_source_ip /> >> > <same_id /> >> > <ignore>srcip, id</ignore> >> > <description>Multiple IDS events from same source ip </description> >> > <description>(ignoring now this srcip and id).</description> >> > </rule> >> > >> > <rule id="20162" level="11" frequency="3" timeframe="3800"> >> > <if_matched_sid>20152</if_matched_sid> >> > <same_id /> >> > <ignore>id</ignore> >> > <description>Multiple IDS alerts for same id </description> >> > <description>(ignoring now this id).</description> >> > </rule> >> > >> > Thanks! >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
