Unknown Alert

[Andrew S]

We keep receiving these notifications from OSSEC. Our site has nothing to do with dailymail. Is this worrying or is this a false alert?

Received From: server->/var/log/nginx/access.log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 +0000] "GET
 / HTTP/2.0" 200 84
 "https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html" "Mozilla/5.0
 (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like
 Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041"

[Brian Candler]

Rule 1002 is a general catch-all rule which matches generic "bad words" like "failed" and "denied", as you can see here:

https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21

https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35

It's a false positive for you, since the word "failed" appears in the Referer field of your HTTP logs.  You can silence these by writing your own more specific rule to catch them, e.g.

https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74

[Andrew S]

Hi Brian,

Thank you for the clarification but I don't understand why someone would associate our website with dailymail.co.uk ?

GET
 / HTTP/2.0" 200 84
 "https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"

I understand the part of the log: GET / HTTP/2.0" 200

I don't understand: 

84
 "https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html"

Why 84 and why this dailymail URL ?

many thanks 

Andrew

[dan (ddp)]

On Mon, Nov 16, 2020 at 7:27 AM Andrew S <banan...@gmail.com> wrote:
>
> Hi Brian,
>
> Thank you for the clarification but I don't understand why someone would associate our website with dailymail.co.uk ?
>

I haven't verified, but Brian mentioned dailymail being in the
referrer field. So there was (possibly) a link somewhere on the page
in the log message pointing at your site.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/7a59f156-2823-4945-a828-6d9bc7f5c4e4n%40googlegroups.com.

[Scott Wozny]

The GET / HTTP2.0 200 84 shows that someone on Sky Broadband in the UK (2a02:c7d IPv6 address) asked for the / alias on your web server which was returned to the user successfully (code 200) and was 84 bytes in length (probably means the user was JS redirected to a specific page on your site, which is common).  Since you don't identify your site, there's no way to confirm the last bit with absolute certainty, but it's both in the ballpark for size and extremely common so I'm confident in that guess. Your webmaster should be able to confirm, though. 

Since the daily mail site is the referrer, it means somewhere in that article, the ads or the comments on that page there is a reference to your site which someone clicked on. Since the referrer URL contained the generic alert term "fail" that's what set off OSSEC. So that's why it's in your logs. 

You can either live with it knowing it's nothing (if it's a low enough level of noise) or write a rule for the Daily Mail URL set to level 0 so it doesn't log anymore. There's little you can do about some commenter on a Daily Mail article linking to your site so you need to decide how much this matters to you. 

HTH,

Scott

--

[Scott Wozny]

ACK!  Sorry!  Didn't see you'd already replied, Dan...

What he said. :)

Scott

To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMo1cPejq_rEgoX-dpgA_%2BOdOc%3Dh8tvPon%2B6GAx%3DLNTuvw%40mail.gmail.com.

[Andrew S]

ah ok, this makes so much more sense now. thank you for the clarifications :) 

[dan (ddp)]

No worries. You added some great information.

> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CACUKT_r_Jx2mPxXgNbfq7E%2ByAev_%3D5N4qiaa7Z_EKV98sTETDg%40mail.gmail.com.

[Andrew S]

Actually I have tried to add the rule you have highlighted:

<rule id="1009" level="0">

<if_sid>1002</if_sid>

<pcre2>terminated without error|can't verify hostname: getaddrinfo|</pcre2>

<pcre2>PPM exceeds tolerance</pcre2>

<description>Ignoring known false positives on rule 1002..</description>

</rule>

to my file: /var/ossec/rules/local_rules.xml

but I am getting a configuration error when I restart OSSEC. Not sure why this happens as I am just copying and pasting that rule from your example.

many thanks again,

Andrew

[Brian Candler]

And what does the configuration error message say?

[Andrew S]

Killing ossec-monitord .. 

Killing ossec-logcollector .. 

Killing ossec-syscheckd .. 

Killing ossec-analysisd .. 

Killing ossec-maild .. 

Killing ossec-execd .. 

OSSEC HIDS v2.8 Stopped

Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...

ossec-analysisd: Configuration error. Exiting.

[Andrew S]

after looking at the error log it says:

2020/11/21 13:15:49 ossec-analysisd: Duplicate rule ID:1009

2020/11/21 13:15:49 ossec-testrule(1220): ERROR: Error loading the rules: 'local_rules.xml'.

do I need to change the rule ID to another random number?

[Andrew S]

I have now changed the ID to sth else but getting a new error:

2020/11/21 16:22:19 ossec-testrule: INFO: Reading local decoder file.

2020/11/21 16:22:19 ossec-analysisd: Invalid option 'pcre2' for rule '100009'.

2020/11/21 16:22:19 ossec-testrule(1220): ERROR: Error loading the rules: 'local_rules.xml'.

[Brian Candler]

You are running an older version of ossec than the ruleset in git. <match> was changed to <pcre2> here:

https://github.com/ossec/ossec-rules/commit/15b7ad93ffe4f89d9122337ed93720ff294d81e0

The easiest thing to do is to find your existing rule 1009 from your existing ruleset, and copy that.