Difference between revisions of "HIDS 1002"
(Created page with "'''Rule ID''' 1002 '''Status''' Active rule currently published. '''Description''' This rule is a catch all rule that detects new events that ASL does not recognize. ...") |
m |
||
(One intermediate revision by one user not shown) | |||
Line 9: | Line 9: | ||
'''Description''' | '''Description''' | ||
− | This rule is a catch all rule that detects new events that | + | This rule is a catch all rule that detects new events that OSSEC does not yet understand. When this happens, the software will report "Unknown problem somewhere in the system.". Anytime this occurs OSSEC will email you the event, even though a 1002 event may be set at a lower level alert than what you may have OSSEC configured as the minimum level to send emails. '''1002's are always emailed because OSSEC does not know what they are, they may be important and the system is seeking a humans advice about what to with this unknown event.''' |
− | These unknown events could be benign and harmless events, or they could be serious problems or event attacks on the systems. When | + | These unknown events could be benign and harmless events, or they could be serious problems or event attacks on the systems. When OSSEC does not know what an event is, it will do some additional analysis on the event and if the log entry contains words that lead OSSEC to believe this is an error or a potentially malicious event, it will alert you that an unknown event has occurred. |
+ | |||
+ | If you get a 1002 alert, and you do not know what it is simply click the "False Negative" button in the GUI. This will open a priority case with the support team, they will investigate the event and will be in contact with you. If the event requires new rules, they will generally make those available the same business day you report the event. | ||
'''False Positives''' | '''False Positives''' | ||
− | This rule can only be triggered if the event is unknown to | + | This rule can only be triggered if the event is unknown to OSSEC. Therefore, there can never be a false positive with this rule, this rule is just a catch all for anything OSSEC does not recognize. Because we want OSSEC to know as much as possible, please report this as a False Positive so that we can investigate what this log message is and add it to OSSECs library of events. In general you should expect the support team to follow up with some questions about this event to help us to understand it better. If the support team requires additional information, they will |
'''Tuning Recommendations''' | '''Tuning Recommendations''' |
Latest revision as of 15:51, 30 August 2024
Rule ID
1002
Status
Active rule currently published.
Description
This rule is a catch all rule that detects new events that OSSEC does not yet understand. When this happens, the software will report "Unknown problem somewhere in the system.". Anytime this occurs OSSEC will email you the event, even though a 1002 event may be set at a lower level alert than what you may have OSSEC configured as the minimum level to send emails. 1002's are always emailed because OSSEC does not know what they are, they may be important and the system is seeking a humans advice about what to with this unknown event.
These unknown events could be benign and harmless events, or they could be serious problems or event attacks on the systems. When OSSEC does not know what an event is, it will do some additional analysis on the event and if the log entry contains words that lead OSSEC to believe this is an error or a potentially malicious event, it will alert you that an unknown event has occurred.
If you get a 1002 alert, and you do not know what it is simply click the "False Negative" button in the GUI. This will open a priority case with the support team, they will investigate the event and will be in contact with you. If the event requires new rules, they will generally make those available the same business day you report the event.
False Positives
This rule can only be triggered if the event is unknown to OSSEC. Therefore, there can never be a false positive with this rule, this rule is just a catch all for anything OSSEC does not recognize. Because we want OSSEC to know as much as possible, please report this as a False Positive so that we can investigate what this log message is and add it to OSSECs library of events. In general you should expect the support team to follow up with some questions about this event to help us to understand it better. If the support team requires additional information, they will
Tuning Recommendations
None.
Similar Rules