HIDS 1003

From Atomicorp Wiki
Jump to: navigation, search

Rule ID

1003

Status

Active rule currently published.

Description

Rule: 1003 Non standard syslog message (size too large).

This rule detects excessively large syslog messages. In general, a syslog message shouldn't contain so much data that it might overwhelm an application reading it, which might lead to the compromise of that application and in some cases the system. ASL itself is immune to this, however other log monitoring applications may not be. Excessively large syslog messages may also be an indication of a broken or erroring application, or other abnormal condition.

These unknown events could be benign and harmless events, or they could be serious problems or event attacks on the systems. When ASL detects a syslog message that is greater than 1025 characters (1024 being the typical maximum some applications are limited to) it will alert you that this event has occurred.

False Positives

This rule can only be triggered if the event is larger than 1025 characters.

Tuning Recommendations

None.

Similar Rules

Personal tools