I created a rule to detect iptable flush . Bellow is my rule
<group name="syslog,iptables,">
<rule id="100005" level="5">
<match>iptables -F</match>
<description>iptables flush detected </description>
</rule>
</group> <!-- syslog,iptables, -->
I have set syslog output to my graylog server for alert storing
But ossec is matching alerts like bellow
"May 14 04:25:01 hypr1002.ops.dfw1.inmobi.com CRON[113187]: (root) CMD
(command -v debian-sa1 > /dev/null && debian-sa1 1 1)"
i tried to debug this with ossec-logtest but logtest did not matched any
rule for this log
Then I do not know why ossec is matching this rule for such alerts. I am
getting many this kind of false alerts ; around 800+ in a day.
Any one can help me with this ?
--
_____________________________________________________________
The
information contained in this communication is intended solely for the use
of the individual or entity to whom it is addressed and others authorized
to receive it. It may contain confidential or legally privileged
information. If you are not the intended recipient you are hereby notified
that any disclosure, copying, distribution or taking any action in reliance
on the contents of this information is strictly prohibited and may be
unlawful. If you have received this communication in error, please notify
us immediately by responding to this email and then delete it from your
system. The firm is neither liable for the proper and complete transmission
of the information contained in this communication nor for any delay in its
receipt.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
