Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."


#1

Bonjour,

Today an OSSEC notification was sent about a SecureDrop instance and I’m not sure how to interpret it. Here is how it looks (there is no risk for this alert to be traced back to the SecureDrop instance based on its content):

OSSEC HIDS Notification.

Received From: mon->ossec-keepalive
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

--MARK--: Glj_@.7)N1rA4H!ST)?fH6+g2_u+!/3kXuNCsop5x_?JwsJ^fJCMXsbtUvXy88=z,E2oaz)yoBpKbZ7gceaZ!bB#@GTNiK#ew-7!qcc(*sw(zL;B.HIp-9,1jPW5H*!l7'+F]Gr$g]ZF+a6(HiQ@A[+J=LXyw^=M8#*3mRKs[Sf^S@kHCi02cPT']k55'Wl1&L$L,5lErrorK#Y

 --END OF NOTIFICATION

I think this happened because the word Error showed in a binary content: it is in the list of BAD_WORDS in rules/syslog_rules.xml and could show by accident in a binary file scanned by rule 1002. However, since there exists a rule to ignore known false positives on rule 1002 (that’s rule 1009), I prefer to ask for a second opinion.

What do you think?


#2

Hi @dachary,

I seem to recall that this is a common issue with OSSEC. They are safe to ignore according to the OSSEC documentation.

Best,
Freddy