Rule 1002 is a general catch-all rule which matches generic "bad words" like "failed" and "denied", as you can see here:
https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21 https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35 It's a false positive for you, since the word "failed" appears in the Referer field of your HTTP logs. You can silence these by writing your own more specific rule to catch them, e.g. https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74 On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote: > We keep receiving these notifications from OSSEC. Our site has nothing to > do with dailymail. Is this worrying or is this a false alert? > > Received From: server->/var/log/nginx/access.log > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > 2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 +0000] "GET > / HTTP/2.0" 200 84 > " > https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; > > "Mozilla/5.0 > (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, > like > Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041" > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/14eb44d9-7fd5-48db-85cf-929ce8b187ffn%40googlegroups.com.
