HIDS 1002

From Atomicorp Wiki
Revision as of 19:18, 27 July 2011 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Rule ID

1002

Status

Active rule currently published.

Description

This rule is a catch all rule that detects new events that ASL does not recognize. When this happens, ASL will report "Unknown problem somewhere in the system.". Anytime this occurs ASL will email you the event, even though a 1002 event may be a lower level alert than what you may have ASL configured as the minimum level to send emails. 1002's are always emailed because ASL does not know what they are, and seeks a humans advice about what to with this unknown event.

These unknown events could be benign and harmless events, or they could be serious problems or event attacks on the systems. When ASL does not know what an event is, it will do some additional analysis on the event and if the log entry contains words that lead ASL to believe this is an error or a potentially malicious event, it will alert you that an unknown event has occurred.

False Positives

This rule can only be triggered if the event is unknown to ASL. Therefore, there can never be a false positive with this rule, this rule is just a catch all for anything ASL does not recognize. Because we want ASL to know as much as possible, please report this as a False Positive so that we can investigate what this log message is and add it to ASLs library of events. In general you should expect the support team to follow up with some questions about this event to help us to understand it better. If the support team requires additional information, they will

Tuning Recommendations

None.

Similar Rules

Personal tools