Killing ossec-monitord ..
Killing ossec-logcollector .. Killing ossec-syscheckd .. Killing ossec-analysisd .. Killing ossec-maild .. Killing ossec-execd .. OSSEC HIDS v2.8 Stopped Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)... ossec-analysisd: Configuration error. Exiting. On Wednesday, 18 November 2020 at 08:39:19 UTC Brian Candler wrote: > And what does the configuration error message say? > > On Tuesday, 17 November 2020 at 17:10:45 UTC Andrew S wrote: > >> Actually I have tried to add the rule you have highlighted: >> >> <rule id="1009" level="0"> >> >> <if_sid>1002</if_sid> >> >> <pcre2>terminated without error|can't verify hostname: >> getaddrinfo|</pcre2> >> >> <pcre2>PPM exceeds tolerance</pcre2> >> >> <description>Ignoring known false positives on rule 1002..</description> >> >> </rule> >> >> to my file: /var/ossec/rules/local_rules.xml >> >> but I am getting a configuration error when I restart OSSEC. Not sure why >> this happens as I am just copying and pasting that rule from your example. >> >> many thanks again, >> Andrew >> >> On Monday, 16 November 2020 at 18:00:32 UTC dan (ddpbsd) wrote: >> >>> No worries. You added some great information. >>> >>> On Mon, Nov 16, 2020 at 12:48 PM Scott Wozny <[email protected]> wrote: >>> > >>> > ACK! Sorry! Didn't see you'd already replied, Dan... >>> > >>> > What he said. :) >>> > >>> > Scott >>> > >>> > >>> > On Mon, Nov 16, 2020, 10:10 dan (ddp) <[email protected]> wrote: >>> >> >>> >> On Mon, Nov 16, 2020 at 7:27 AM Andrew S <[email protected]> wrote: >>> >> > >>> >> > Hi Brian, >>> >> > >>> >> > Thank you for the clarification but I don't understand why someone >>> would associate our website with dailymail.co.uk ? >>> >> > >>> >> >>> >> I haven't verified, but Brian mentioned dailymail being in the >>> >> referrer field. So there was (possibly) a link somewhere on the page >>> >> in the log message pointing at your site. >>> >> >>> >> > GET >>> >> > / HTTP/2.0" 200 84 >>> >> > " >>> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; >>> >>> >>> >> > >>> >> > I understand the part of the log: GET / HTTP/2.0" 200 >>> >> > >>> >> > I don't understand: >>> >> > >>> >> > 84 >>> >> > " >>> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; >>> >>> >>> >> > >>> >> > Why 84 and why this dailymail URL ? >>> >> > >>> >> > many thanks >>> >> > Andrew >>> >> > >>> >> > On Monday, 16 November 2020 at 09:02:40 UTC Brian Candler wrote: >>> >> >> >>> >> >> Rule 1002 is a general catch-all rule which matches generic "bad >>> words" like "failed" and "denied", as you can see here: >>> >> >> >>> >> >> >>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21 >>> >>> >> >> >>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35 >>> >>> >> >> >>> >> >> It's a false positive for you, since the word "failed" appears in >>> the Referer field of your HTTP logs. You can silence these by writing your >>> own more specific rule to catch them, e.g. >>> >> >> >>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74 >>> >>> >> >> >>> >> >> On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote: >>> >> >>> >>> >> >>> We keep receiving these notifications from OSSEC. Our site has >>> nothing to do with dailymail. Is this worrying or is this a false alert? >>> >> >>> >>> >> >>> Received From: server->/var/log/nginx/access.log >>> >> >>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >>> system." >>> >> >>> Portion of the log(s): >>> >> >>> >>> >> >>> 2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 >>> +0000] "GET >>> >> >>> / HTTP/2.0" 200 84 >>> >> >>> " >>> https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"; >>> >>> "Mozilla/5.0 >>> >> >>> (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 >>> (KHTML, like >>> >> >>> Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041" >>> >> > >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> >> > To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ossec-list/7a59f156-2823-4945-a828-6d9bc7f5c4e4n%40googlegroups.com. >>> >>> >>> >> >>> >> -- >>> >> >>> >> --- >>> >> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> >> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> >> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMo1cPejq_rEgoX-dpgA_%2BOdOc%3Dh8tvPon%2B6GAx%3DLNTuvw%40mail.gmail.com. >>> >>> >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> > To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ossec-list/CACUKT_r_Jx2mPxXgNbfq7E%2ByAev_%3D5N4qiaa7Z_EKV98sTETDg%40mail.gmail.com. >>> >>> >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/ad9c3fa6-9393-4051-ab5e-4dc0fed2d629n%40googlegroups.com.
