Rule: 1003 fired (level 13)

[Randy Dover]

I am getting frequent “Rule: 1003 fired) emails:

Received From: (ServerName) ###.###.###.### (ServerIP) ->WinEvtLog
Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."
Portion of the log(s):

2014 Jun 30 01:07:29 WinEvtLog: Security: AUDIT_SUCCESS(4648): Microsoft-Windows-Security-Auditing: (no user): no domain: ServerName.FQDN: A logon was attempted using explicit credentials. Subject:  Security ID:  S-1-5-18  Account Name:  ServerName$  Account Domain:  DomainName  Logon ID:  0x3e7  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Account Whose Credentials Were Used:  Account Name:  DomainAccountName  Account Domain:  FQDN  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Target Server:  Target Server Name: MailServerName.FQDN  Additional Information: HTTP/ MailServerName.FQDN  Process Information:  Process ID:  0x688  Process Name:  ProgramPath\ProgramName  Network Information:  Network Address: -  Port:   -  This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

 

I saw this posting and answer:

It can parse the log without problems. This message is generated by this rule:

<rule id="1003" level="13" maxsize="1025">
<description>Non standard syslog message (size too large).</description>
</rule>


So, you can ignore that rule for this specific log you are parsing or
just increase
the size for everyone... Example:

<rule id="100103" level="0">
<description>Ignoring size to large alerts for myapp.</description>
<match>myapp log</match> OR you can use <program_name>myapp</program_name>
</rule>

 

I looked at the rules I have set up already and they don’t look exactly like the above example, they look more like:

<rule id=’100001’ level=’0’>

    <id>52</id>  (would be 1003 for above issue)

   <description>Ignore ID 52 alerts</description> (would be ID 1003 for above issue)

</rule>

 

I’ve seen other people saying that they rule that looks like my others does not work. Will it / should it work?

My question is: Given the rule example that was posted:

<match>myapp log</match> OR you can use <program_name>myapp</program_name>

If I put this in as my new rule, what would I put for “my app log”?

 

Would this work?

<rule id="100103" level="0">
<description>Ignoring size to large alerts for ProgramName.</description>
<program_name>C:\PathName\ProgramName.exe</program_name>
</rule>

 

For example if it was C:\Program Files\Microsoft\Notepad.exe (yes, I know that’s not the right path, just an example) that was the “offending” executable would I put:

<rule id="100103" level="0">
<description>Ignoring size to large alerts for Notepad.</description>
<program_name>C:\ProgramFiles\Notepad.exe</program_name>
</rule>

 

Or would I just put:

<rule id="100103" level="0">
<description>Ignoring size to large alerts for Notepad.</description>
<program_name>Notepad.exe</program_name>
</rule>

 

Thanks in advance,

 

Randy Dover

This email is intended for its designated recipients. The information, and attachments, contained in this email may be considered private and/or confidential. If the transmission is received in error, delete messages(s) from your system and notify the sender. You may not, directly or indirectly, use, disclose or distribute any part of this email.

[Michael Starks]

On 2014-06-30 8:59, Randy Dover wrote:
> I am getting frequent "Rule: 1003 fired) emails:
>
> Received From: (ServerName) ###.###.###.### (ServerIP) ->WinEvtLog
> Rule: 1003 fired (level 13) -> "Non standard syslog message (size too
> large)."
> Portion of the log(s):

I have tried modifying this rule without success. It's a bug:
https://github.com/ossec/ossec-hids/issues/174

You may have to simple comment it out at the risk of not receiving
notifications for really big messages, but I think getting the rule
that's supposed to match in that situation is better.

[Randy Dover]

How should I comment it out?
I edited syslog_rules.xml (in
The way I edited it was:
# <rule id='1003'...
# <description...
# </rule>

So, in essence, I just put a "#" in front of each of the lines.

That didn't work. I'm still getting the emails. And getting a lot of them.

Would it be better if I changed the # to <!-- before and added --> after on the rule?
Is there another file I should be changing other than or in addition to syslog_rules.xml?

Randy Dover

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[dan (ddp)]

On Mon, Jul 7, 2014 at 11:07 AM, Randy Dover <rdo...@cscbank.com> wrote:
> How should I comment it out?
> I edited syslog_rules.xml (in
> The way I edited it was:
> # <rule id='1003'...
> # <description...
> # </rule>
>
> So, in essence, I just put a "#" in front of each of the lines.
>
> That didn't work. I'm still getting the emails. And getting a lot of them.
>
> Would it be better if I changed the # to <!-- before and added --> after on the rule?

Yes, that would be the correct way to comment out something in that
file. There are examples in most of the rules or decoder files.

[Michael Starks]

On 2014-07-07 10:07, Randy Dover wrote:
> How should I comment it out?
> I edited syslog_rules.xml (in
> The way I edited it was:
> # <rule id='1003'...
> # <description...
> # </rule>
>
> So, in essence, I just put a "#" in front of each of the lines.
>
> That didn't work. I'm still getting the emails. And getting a lot of
> them.

XML comments are like this: <!-- stuff here -->. So, your rule should
look like this:

<!-- rule id="1003" level="13" maxsize="304900">
<description>Non standard syslog message (size too
large).</description>
</rule -->

Keep in mind that this is an exceptional case. Normally, you wouldn't
want to modify rules in any place other than local_rules.xml, as they
will be overwritten on upgrades.

[Saurabh Garg]

Michael,

Were you able to restart OSSEC after editing syslog_rules.xml? did it not fail throwing the below message:

"OSSEC analysisd: Testing rules failed. Configuration error. Exiting."

- Saurabh

[dan (ddp)]

On Fri, Sep 9, 2016 at 4:57 AM, Saurabh Garg <saura...@gmail.com> wrote:
> Michael,
>
> Were you able to restart OSSEC after editing syslog_rules.xml? did it not
> fail throwing the below message:
> "OSSEC analysisd: Testing rules failed. Configuration error. Exiting."
>

Looking at /var/ossec/logs/ossec.log or running
`/var/ossec/bin/ossec-logtest -t` might give you a better clue as to
what you did incorrectly.
If you need assistance, please start your own thread and provide details.

> - Saurabh
>
>
> On Monday, July 7, 2014 at 8:53:24 PM UTC+5:30, Michael Starks wrote:
>>
>> On 2014-07-07 10:07, Randy Dover wrote:
>> > How should I comment it out?
>> > I edited syslog_rules.xml (in
>> > The way I edited it was:
>> > # <rule id='1003'...
>> > # <description...
>> > # </rule>
>> >
>> > So, in essence, I just put a "#" in front of each of the lines.
>> >
>> > That didn't work. I'm still getting the emails. And getting a lot of
>> > them.
>>
>> XML comments are like this: <!-- stuff here -->. So, your rule should
>> look like this:
>>
>> <!-- rule id="1003" level="13" maxsize="304900">
>> <description>Non standard syslog message (size too
>> large).</description>
>> </rule -->
>>
>> Keep in mind that this is an exceptional case. Normally, you wouldn't
>> want to modify rules in any place other than local_rules.xml, as they
>> will be overwritten on upgrades.
>>
>>