HIDS 1002

From Atomicorp Wiki
Jump to: navigation, search

Rule ID

1002

Status

Active rule currently published.

Description

This rule is a catch all rule that detects new events that OSSEC does not yet understand. When this happens, the software will report "Unknown problem somewhere in the system.". Anytime this occurs OSSEC will email you the event, even though a 1002 event may be set at a lower level alert than what you may have OSSEC configured as the minimum level to send emails. 1002's are always emailed because OSSEC does not know what they are, they may be important and the system is seeking a humans advice about what to with this unknown event.

These unknown events could be benign and harmless events, or they could be serious problems or event attacks on the systems. When OSSEC does not know what an event is, it will do some additional analysis on the event and if the log entry contains words that lead OSSEC to believe this is an error or a potentially malicious event, it will alert you that an unknown event has occurred.

If you get a 1002 alert, and you do not know what it is simply click the "False Negative" button in the GUI. This will open a priority case with the support team, they will investigate the event and will be in contact with you. If the event requires new rules, they will generally make those available the same business day you report the event.

False Positives

This rule can only be triggered if the event is unknown to OSSEC. Therefore, there can never be a false positive with this rule, this rule is just a catch all for anything OSSEC does not recognize. Because we want OSSEC to know as much as possible, please report this as a False Positive so that we can investigate what this log message is and add it to OSSECs library of events. In general you should expect the support team to follow up with some questions about this event to help us to understand it better. If the support team requires additional information, they will

Tuning Recommendations

None.

Similar Rules

Personal tools