Difference between revisions of "HIDS 1002"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "'''Rule ID''' 1002 '''Status''' Active rule currently published. '''Description''' This rule is a catch all rule that detects new events that ASL does not recognize. ...")

Revision as of 20:18, 27 July 2011

Rule ID



Active rule currently published.


This rule is a catch all rule that detects new events that ASL does not recognize. When this happens, ASL will report "Unknown problem somewhere in the system.". Anytime this occurs ASL will email you the event, even though a 1002 event may be a lower level alert than what you may have ASL configured as the minimum level to send emails. 1002's are always emailed because ASL does not know what they are, and seeks a humans advice about what to with this unknown event.

These unknown events could be benign and harmless events, or they could be serious problems or event attacks on the systems. When ASL does not know what an event is, it will do some additional analysis on the event and if the log entry contains words that lead ASL to believe this is an error or a potentially malicious event, it will alert you that an unknown event has occurred.

False Positives

This rule can only be triggered if the event is unknown to ASL. Therefore, there can never be a false positive with this rule, this rule is just a catch all for anything ASL does not recognize. Because we want ASL to know as much as possible, please report this as a False Positive so that we can investigate what this log message is and add it to ASLs library of events. In general you should expect the support team to follow up with some questions about this event to help us to understand it better. If the support team requires additional information, they will

Tuning Recommendations


Similar Rules

Personal tools