Actually I have tried to add the rule you have highlighted: <rule id="1009" level="0">
<if_sid>1002</if_sid> <pcre2>terminated without error|can't verify hostname: getaddrinfo|</pcre2> <pcre2>PPM exceeds tolerance</pcre2> <description>Ignoring known false positives on rule 1002..</description> </rule> to my file: /var/ossec/rules/local_rules.xml but I am getting a configuration error when I restart OSSEC. Not sure why this happens as I am just copying and pasting that rule from your example. many thanks again, Andrew On Monday, 16 November 2020 at 18:00:32 UTC dan (ddpbsd) wrote: > No worries. You added some great information. > > On Mon, Nov 16, 2020 at 12:48 PM Scott Wozny <saw...@gmail.com> wrote: > > > > ACK! Sorry! Didn't see you'd already replied, Dan... > > > > What he said. :) > > > > Scott > > > > > > On Mon, Nov 16, 2020, 10:10 dan (ddp) <ddp...@gmail.com> wrote: > >> > >> On Mon, Nov 16, 2020 at 7:27 AM Andrew S <banan...@gmail.com> wrote: > >> > > >> > Hi Brian, > >> > > >> > Thank you for the clarification but I don't understand why someone > would associate our website with dailymail.co.uk ? > >> > > >> > >> I haven't verified, but Brian mentioned dailymail being in the > >> referrer field. So there was (possibly) a link somewhere on the page > >> in the log message pointing at your site. > >> > >> > GET > >> > / HTTP/2.0" 200 84 > >> > " > https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html > " > >> > > >> > I understand the part of the log: GET / HTTP/2.0" 200 > >> > > >> > I don't understand: > >> > > >> > 84 > >> > " > https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html > " > >> > > >> > Why 84 and why this dailymail URL ? > >> > > >> > many thanks > >> > Andrew > >> > > >> > On Monday, 16 November 2020 at 09:02:40 UTC Brian Candler wrote: > >> >> > >> >> Rule 1002 is a general catch-all rule which matches generic "bad > words" like "failed" and "denied", as you can see here: > >> >> > >> >> > https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21 > >> >> > https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35 > >> >> > >> >> It's a false positive for you, since the word "failed" appears in > the Referer field of your HTTP logs. You can silence these by writing your > own more specific rule to catch them, e.g. > >> >> > https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74 > >> >> > >> >> On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote: > >> >>> > >> >>> We keep receiving these notifications from OSSEC. Our site has > nothing to do with dailymail. Is this worrying or is this a false alert? > >> >>> > >> >>> Received From: server->/var/log/nginx/access.log > >> >>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the > system." > >> >>> Portion of the log(s): > >> >>> > >> >>> 2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 > +0000] "GET > >> >>> / HTTP/2.0" 200 84 > >> >>> " > https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; > > "Mozilla/5.0 > >> >>> (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 > (KHTML, like > >> >>> Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041" > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an email to ossec-list+...@googlegroups.com. > >> > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/7a59f156-2823-4945-a828-6d9bc7f5c4e4n%40googlegroups.com > . > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com. > >> To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CAMyQvMo1cPejq_rEgoX-dpgA_%2BOdOc%3Dh8tvPon%2B6GAx%3DLNTuvw%40mail.gmail.com > . > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CACUKT_r_Jx2mPxXgNbfq7E%2ByAev_%3D5N4qiaa7Z_EKV98sTETDg%40mail.gmail.com > . > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/d8f331a1-5867-47d1-826b-6885d8147383n%40googlegroups.com.
