Today an OSSEC notification was sent about a SecureDrop instance and I’m not sure how to interpret it. Here is how it looks (there is no risk for this alert to be traced back to the SecureDrop instance based on its content):
OSSEC HIDS Notification. Received From: mon->ossec-keepalive Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): --MARK--: Glj_@.7)N1rA4H!ST)?fH6+g2_u+!/3kXuNCsop5x_?JwsJ^fJCMXsbtUvXy88=z,E2oaz)yoBpKbZ7gceaZ!bB#@GTNiK#ew-7!qcc(*sw(zL;B.HIp-9,1jPW5H*!l7'+F]Gr$g]ZF+a6(HiQ@A[+J=LXyw^=M8#*3mRKs[Sf^S@kHCi02cPT']k55'Wl1&L$L,5lErrorK#Y --END OF NOTIFICATION
I think this happened because the word Error showed in a binary content: it is in the list of
rules/syslog_rules.xml and could show by accident in a binary file scanned by rule 1002. However, since there exists a rule to ignore known false positives on rule 1002 (that’s rule 1009), I prefer to ask for a second opinion.
What do you think?