[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: Re: [ossec-list] Rule 1003 flooding
From: Mark M <plaktau () gmail ! com>
Date: 2018-06-29 21:04:06
Message-ID: ee404733-ab15-4dc4-bb53-6355114d2018 () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Even at 2048 I get occasional hits. :-\
On Wednesday, June 27, 2018 at 5:48:44 AM UTC-7, dan (ddpbsd) wrote:
>
> On Mon, Jun 25, 2018 at 2:55 PM, Mark M <pla...@gmail.com <javascript:>>
> wrote:
> >
> > Thanks Dan. Should I titrate the number down as far as possible, or does
> it
> > matter really?
> >
>
> I'm not sure it matters too much. OSSEC needs to move forward at some
> point.
> 2048 seems reasonable.
>
> >
> > On Saturday, June 23, 2018 at 2:59:25 PM UTC-7, dan (ddpbsd) wrote:
> > >
> > > On Fri, Jun 22, 2018 at 8:19 PM, Mark M <pla...@gmail.com> wrote:
> > > >
> > > > Since going to CentOS 7, and installing BigFix on all systems I get a
> > > > LOT of
> > > > syslog rule 1003 (file too large) messages.
> > > >
> > > > <rule id="1003" level="13" maxsize="1025">
> > > > <description>Non standard syslog message (size too
> > > > large).</description>
> > > > </rule>
> > > >
> > > > What was used to determine the 1025 number? Is this meant to be
> > > > adjusted, or
> > > > is it a moving target for the maintainers that needs to be revisited?
> > > >
> > >
> > > In the past syslog was limited to 1024 bytes,s o longer messages
> > > didn't follow the rules. This can probably be adjusted now.
> > > I think some of the OSSEC internals may still be limited to 1024
> > > though, so these would eventually have to be raised (but I haven't
> > > looked
> > > at this in a while, so I could be remembering old info)
> > >
> > > > OSSEC Log sample:
> > > >
> > > > ** Alert 1529706477.1462418: mail - syslog,errors,
> > > > 2018 Jun 22 15:27:57 (aspen) xxx.xxx.xxx.xxx->/var/log/secure
> > > > Rule: 1003 (level 13) -> 'Non standard syslog message (size too
> large).'
> > > > Jun 22 15:27:57 aspen audisp-graylog:
> > > > {"audit_category":"write","audit_summary":"Write:
> > > >
> > > >
> /var/opt/BESClient/__BESData/__Global/UsageData/pickup.stat","audit_hostname":"xxx.x \
> xx.xxx.xxx","audit_timestamp":"2018-06-22T15:27:57-0700","audit_plugin":"audisp-gray \
> log","audit_version":"1.0.0","audit":{"serial":"757820","rdev":"00:00","ogid":"0","o \
> uid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESClient/ \
> __BESData/__Global/UsageData/pickup.stat","serial":"757820","rdev":"00:00","ogid":"0 \
> ","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESCli \
> ent/__BESData/__Global/UsageData/pickup.stattmp","serial":"757820","rdev":"00:00","o \
> gid":"0","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt \
> /BESClient/__BESData/__Global/UsageData/","serial":"757820","rdev":"00:00","ogid":"0 \
> ","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESCli \
> ent/__BESData/__Global/UsageData/","serial":"757820","cwd":"/home/mmoorcro","serial" \
> :"757820","session":"356","fsgid":"0","sgid":"0","egid":"0","fsuid":"0","suid":"0"," \
> euid":"0","gid":"0","pid":"104939","ppid":"1","process":"/opt/BESClient/bin/BESClient","tty":"(none)","uid":"0","user":"root","originaluid":"853945932","orig \
>
> > > >
> > > >
> > > > Actual log event:
> > > >
> > > > Jun 22 15:27:57 aspen audisp-graylog:
> > > > {"audit_category":"write","audit_summary":"Write:
> > > >
> > > >
> /var/opt/BESClient/__BESData/__Global/UsageData/pickup.stat","audit_hostname":"xxx.x \
> xx.xxx.xxx","audit_timestamp":"2018-06-22T15:27:57-0700","audit_plugin":"audisp-gray \
> log","audit_version":"1.0.0","audit":{"serial":"757820","rdev":"00:00","ogid":"0","o \
> uid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESClient/ \
> __BESData/__Global/UsageData/pickup.stat","serial":"757820","rdev":"00:00","ogid":"0 \
> ","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESCli \
> ent/__BESData/__Global/UsageData/pickup.stattmp","serial":"757820","rdev":"00:00","o \
> gid":"0","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt \
> /BESClient/__BESData/__Global/UsageData/","serial":"757820","rdev":"00:00","ogid":"0 \
> ","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESCli \
> ent/__BESData/__Global/UsageData/","serial":"757820","cwd":"/home/mmoorcro","serial" \
> :"757820","session":"356","fsgid":"0","sgid":"0","egid":"0","fsuid":"0","suid":"0"," \
> euid":"0","gid":"0","pid":"104939","ppid":"1","process":"/opt/BESClient/bin/BESClien \
> t","tty":"(none)","uid":"0","user":"root","originaluid":"853945932","originaluser":" \
> mmoorcro","parentprocess":"systemd","auditkey":"delete","processname":"BESClient","serial":"757820"}} \
>
> > > >
> > > >
> > > > I grant you that the audisp-graylog plugin has some issues.
> > > > Unfortunately
> > > > the author is probably never going to look at it again. Regardless,
> if I
> > > > double 1025 to 2048, the 1003 messages stop. I'm also wondering about
> > > > the
> > > > messages being truncated in the OSSEC log. Presumably changes to the
> > > > syslog
> > > > rule may get overwritten at any time.
> > > >
> > > > --
> > > >
> > > > ---
> > > > You received this message because you are subscribed to the Google
> > > > Groups
> > > > "ossec-list" group.
> > > > To unsubscribe from this group and stop receiving emails from it,
> send
> > > > an
> > > > email to ossec-list+...@googlegroups.com.
> > > > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #5 (text/html)]
<div dir="ltr"><br>Even at 2048 I get occasional hits. :-\<br><br>On Wednesday, \
June 27, 2018 at 5:48:44 AM UTC-7, dan (ddpbsd) wrote:<blockquote class="gmail_quote" \
style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc solid;padding-left: \
1ex;">On Mon, Jun 25, 2018 at 2:55 PM, Mark M <<a href="javascript:" \
target="_blank" gdf-obfuscated-mailto="zcYto4xaCgAJ" rel="nofollow" \
onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return true;">pla...@gmail.com</a>> \
wrote: <br>>
<br>> Thanks Dan. Should I titrate the number down as far as possible, or does it
<br>> matter really?
<br>>
<br>
<br>I'm not sure it matters too much. OSSEC needs to move forward at some point.
<br>2048 seems reasonable.
<br>
<br>>
<br>> On Saturday, June 23, 2018 at 2:59:25 PM UTC-7, dan (ddpbsd) wrote:
<br>>>
<br>>> On Fri, Jun 22, 2018 at 8:19 PM, Mark M <<a>pla...@gmail.com</a>> \
wrote: <br>>> >
<br>>> > Since going to CentOS 7, and installing BigFix on all systems I get \
a <br>>> > LOT of
<br>>> > syslog rule 1003 (file too large) messages.
<br>>> >
<br>>> > <rule id="1003" level="13" \
maxsize="1025"> <br>>> > <description>Non standard \
syslog message (size too <br>>> > large).</description>
<br>>> > </rule>
<br>>> >
<br>>> > What was used to determine the 1025 number? Is this meant to be
<br>>> > adjusted, or
<br>>> > is it a moving target for the maintainers that needs to be \
revisited? <br>>> >
<br>>>
<br>>> In the past syslog was limited to 1024 bytes,s o longer messages
<br>>> didn't follow the rules. This can probably be adjusted now.
<br>>> I think some of the OSSEC internals may still be limited to 1024
<br>>> though, so these would eventually have to be raised (but I haven't
<br>>> looked
<br>>> at this in a while, so I could be remembering old info)
<br>>>
<br>>> > OSSEC Log sample:
<br>>> >
<br>>> > ** Alert 1529706477.1462418: mail - syslog,errors,
<br>>> > 2018 Jun 22 15:27:57 (aspen) \
xxx.xxx.xxx.xxx->/var/log/<wbr>secure <br>>> > Rule: 1003 (level 13) \
-> 'Non standard syslog message (size too large).' <br>>> > Jun \
22 15:27:57 aspen audisp-graylog: <br>>> > \
{"audit_category":"write","<wbr>audit_summary":"Write:
<br>>> >
<br>>> > /var/opt/BESClient/__BESData/_<wbr>_Global/UsageData/pickup.stat&quo \
t;<wbr>,"audit_hostname":"xxx.xxx.<wbr>xxx.xxx","audit_timest \
amp":"<wbr>2018-06-22T15:27:57-0700","<wbr>audit_plugin":&quo \
t;audisp-graylog"<wbr>,"audit_version":"1.0.0","<wbr>aud \
it":{"serial":"757820","<wbr>rdev":"00:00" \
;,"ogid":"0","<wbr>ouid":"0","mode": \
"040700","<wbr>dev":"fd:06","inode":"8716 \
650"<wbr>,"path":"/var/opt/BESClient/__<wbr>BESData/__Global/Usage \
Data/<wbr>pickup.stat","serial":"757820"<wbr>,"rdev" \
;:"00:00","ogid":"0","<wbr>ouid":"0" \
,"mode":"040700","<wbr>dev":"fd:06","inod \
e":"8716650"<wbr>,"path":"/var/opt/BESClient/__<wbr>BESD \
ata/__Global/UsageData/<wbr>pickup.stattmp","serial":"<wbr>757820& \
quot;,"rdev":"00:00","ogid":<wbr>"0","oui \
d":"0","mode":"040700"<wbr>,"dev":"f \
d:06","inode":"<wbr>8716650","path":"/var/opt/ \
<wbr>BESClient/__BESData/__Global/<wbr>UsageData/","serial":"75782 \
0",<wbr>"rdev":"00:00","ogid":"0","< \
wbr>ouid":"0","mode":"040700","<wbr>dev": \
"fd:06","inode":"8716650"<wbr>,"path":"/v \
ar/opt/BESClient/__<wbr>BESData/__Global/UsageData/","<wbr>serial":&quo \
t;757820","cwd":"/home/<wbr>mmoorcro","serial":&quo \
t;757820","<wbr>session":"356","fsgid":"0" \
;,"<wbr>sgid":"0","egid":"0","fsuid" \
:"<wbr>0","suid":"0","euid":"0",&quo \
t;gid"<wbr>:"0","pid":"104939","ppid":&qu \
ot;1"<wbr>,"process":"/opt/BESClient/<wbr>bin/BESClient",&quo \
t;tty":"(none)",<wbr>"uid":"0","user":"root","<wbr>originaluid":"853945932","orig
<br>>> >
<br>>> >
<br>>> > Actual log event:
<br>>> >
<br>>> > Jun 22 15:27:57 aspen audisp-graylog:
<br>>> > {"audit_category":"write","<wbr>audit_summary":"Write:
<br>>> >
<br>>> > /var/opt/BESClient/__BESData/_<wbr>_Global/UsageData/pickup.stat&quo \
t;<wbr>,"audit_hostname":"xxx.xxx.<wbr>xxx.xxx","audit_timest \
amp":"<wbr>2018-06-22T15:27:57-0700","<wbr>audit_plugin":&quo \
t;audisp-graylog"<wbr>,"audit_version":"1.0.0","<wbr>aud \
it":{"serial":"757820","<wbr>rdev":"00:00" \
;,"ogid":"0","<wbr>ouid":"0","mode": \
"040700","<wbr>dev":"fd:06","inode":"8716 \
650"<wbr>,"path":"/var/opt/BESClient/__<wbr>BESData/__Global/Usage \
Data/<wbr>pickup.stat","serial":"757820"<wbr>,"rdev" \
;:"00:00","ogid":"0","<wbr>ouid":"0" \
,"mode":"040700","<wbr>dev":"fd:06","inod \
e":"8716650"<wbr>,"path":"/var/opt/BESClient/__<wbr>BESD \
ata/__Global/UsageData/<wbr>pickup.stattmp","serial":"<wbr>757820& \
quot;,"rdev":"00:00","ogid":<wbr>"0","oui \
d":"0","mode":"040700"<wbr>,"dev":"f \
d:06","inode":"<wbr>8716650","path":"/var/opt/ \
<wbr>BESClient/__BESData/__Global/<wbr>UsageData/","serial":"75782 \
0",<wbr>"rdev":"00:00","ogid":"0","< \
wbr>ouid":"0","mode":"040700","<wbr>dev": \
"fd:06","inode":"8716650"<wbr>,"path":"/v \
ar/opt/BESClient/__<wbr>BESData/__Global/UsageData/","<wbr>serial":&quo \
t;757820","cwd":"/home/<wbr>mmoorcro","serial":&quo \
t;757820","<wbr>session":"356","fsgid":"0" \
;,"<wbr>sgid":"0","egid":"0","fsuid" \
:"<wbr>0","suid":"0","euid":"0",&quo \
t;gid"<wbr>:"0","pid":"104939","ppid":&qu \
ot;1"<wbr>,"process":"/opt/BESClient/<wbr>bin/BESClient",&quo \
t;tty":"(none)",<wbr>"uid":"0","user":&qu \
ot;root","<wbr>originaluid":"853945932","<wbr>originalus \
er":"mmoorcro","<wbr>parentprocess":"systemd"," \
;<wbr>auditkey":"delete","<wbr>processname":"BESClient","<wbr>serial":"757820"}}
<br>>> >
<br>>> >
<br>>> > I grant you that the audisp-graylog plugin has some issues.
<br>>> > Unfortunately
<br>>> > the author is probably never going to look at it again. Regardless, \
if I <br>>> > double 1025 to 2048, the 1003 messages stop. I'm also \
wondering about <br>>> > the
<br>>> > messages being truncated in the OSSEC log. Presumably changes to \
the <br>>> > syslog
<br>>> > rule may get overwritten at any time.
<br>>> >
<br>>> > --
<br>>> >
<br>>> > ---
<br>>> > You received this message because you are subscribed to the Google
<br>>> > Groups
<br>>> > "ossec-list" group.
<br>>> > To unsubscribe from this group and stop receiving emails from it, \
send <br>>> > an
<br>>> > email to <a>ossec-list+...@googlegroups.<wbr>com</a>.
<br>>> > For more options, visit <a \
href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" \
onmousedown="this.href='https://groups.google.com/d/optout';return true;" \
onclick="this.href='https://groups.google.com/d/optout';return \
true;">https://groups.google.com/d/<wbr>optout</a>. <br>>
<br>> --
<br>>
<br>> ---
<br>> You received this message because you are subscribed to the Google Groups
<br>> "ossec-list" group.
<br>> To unsubscribe from this group and stop receiving emails from it, send an
<br>> email to <a href="javascript:" target="_blank" \
gdf-obfuscated-mailto="zcYto4xaCgAJ" rel="nofollow" \
onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return \
true;">ossec-list+...@<wbr>googlegroups.com</a>. <br>> For more options, visit <a \
href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" \
onmousedown="this.href='https://groups.google.com/d/optout';return true;" \
onclick="this.href='https://groups.google.com/d/optout';return \
true;">https://groups.google.com/d/<wbr>optout</a>. <br></blockquote></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic