It happens because there is the string 'erRoR' in that string, which matches one the bad words that rule 1002 looks for. Not sure if there is an open bug for this or not; it's been an issue for awhile.
I filter them out with this rule: <!-- ignore "--MARK--" messages, per http://ossec-docs.readthedocs.org/en/latest/faq/alerts.html#id7, cplummer 2015/02/03 --> <rule id="100025" level="0"> <if_sid>1002</if_sid> <regex>^--MARK--</regex> <description>Known OSSEC keepalive errors</description> </rule> On Mon, Aug 10, 2015 at 12:54 PM, Brian Buchanan <[email protected]> wrote: > I am using 2.8.1 > > On Monday, August 10, 2015 at 11:15:50 AM UTC-4, dan (ddpbsd) wrote: >> >> On Mon, Aug 10, 2015 at 11:06 AM, Brian Buchanan >> <[email protected]> wrote: >> > Hello, I am getting this error and all it gives me is this hash: >> "--MARK--: >> > >> p&'yxitw]t2v9Q0xq^Lx9v_JY,lZxWG[_$sZ+[+ynab=Qj26;h.1*(TJ%4QT8ENXZoq,igu9U9ie(@@!Aq)lQGcyTazv($(']R+RfXuZADlmiEEIVscfYS(lbl+)Gp$^okAtqVAQGMl,&PE)7_'%HtH-E!9@ >> [/cijDC$Gk@#W-8H_Uud=1*#_727LF[F(,,J$#qn-]HN(XComerRoRxQ6'rl#Z?" >> > >> > >> > How to I decode this into something useful? >> > >> >> That's an internal OSSEC keep alive message. You can ignore it. It's >> supposed to be filtered out before it alerts, but sometimes one slips >> through. What version of OSSEC are you using? >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
