Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule 1003 cannot be overwritten #174

Closed
mstarks01 opened this issue Apr 3, 2014 · 13 comments
Closed

Rule 1003 cannot be overwritten #174

mstarks01 opened this issue Apr 3, 2014 · 13 comments
Assignees
@jrossi
Labels
bug Rules & Decoders

Comments

@mstarks01
Copy link
Contributor

Specifically, using the overwrite=yes and increasing the maxsize attribute to something larger than the problem log line has no effect. It might also be that changing this attribute and not overwriting this rule is also broken. I have not tried that.
@jrossi
Copy link
Member

jrossi commented Apr 12, 2014

Could attache an example that you expect to work? I am not getting the same issue.

@mstarks01
Copy link
Contributor Author

I'll try to remember to dig something up when I get back to work on Monday.

@mstarks01
Copy link
Contributor Author

Here's a sample alert that tripped it:

OSSEC HIDS Notification.
2014 Mar 07 09:38:16

Received From: HOSTNAME->/data/logs/HOSTNAME/HOSTNAME.log
Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."
Portion of the log(s):

Mar  7 09:39:14 HOSTNAME Outlook: 45: Outlook loaded the following add-in(s): Name: Microsoft Exchange Add-in Description: Exchange support for Unified Messaging, e-mail permission rules, and calendar availability. ProgID: UmOutlookAddin.FormRegionAddin GUID: {F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3} Load Behavior: 03 HKLM: 1 Location: C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll Boot Time (Milliseconds): 202 Name: TeamViewer Meeting Add-In Description: Schedule TeamViewer meetings in your calendar. ProgID: TeamViewerOutlookAddIn GUID: {A04A9CCE-4C17-4270-A1E2-4EDB0F752235} Load Behavior: 03 HKLM: 1 Location: mscoree.dll Boot Time (Milliseconds): 3744 Name: MM VFRegisterAddin Description: MM Outlook Addin for registering voiceform ProgID: OutlookVFRegisterAddin.Connect GUID: {B0FCF33D-02D7-48AB-B065-5179C48969E6} Load Behavior: 03 HKLM: 1 Location: C:\Program Files (x86)\BLA BLA\Client\bla bla.dll Boot Time (Milliseconds): 998 Name: MM Outlook UI Addin Description: MM Outlook Addin for UI controls ProgID: OutlookUIAddin.Addin GUID: {2FAA93CC-BB4F-4D4A-9657-258C1DEC2FE2} Load Behavior: 03 HKLM: 1 Location: C:\Program Files (x86)\BLA BLA\Client\bla bla.dll Boot 



 --END OF NOTIFICATION

And here's the rule in local_rules.xml:

<rule id="1003" level="13" maxsize="304900" overwrite="yes">
  <description>Non standard syslog message (size too large).</description>
</rule>

@mstarks01
Copy link
Contributor Author

Editing the rule directly also does not work, so it would appear that that the maxsize value has no effect.

@jrossi jrossi self-assigned this Jun 30, 2014
@dkade
Copy link

dkade commented Jan 21, 2015

For me it works, just make sure you have it inside <group name="local,syslog,"> !

For example add it before the ending tag:

<rule id="1003" level="3" maxsize="4010" overwrite="yes">
    <description>Non standard syslog message (size too large).</description>
  </rule>


</group> <!-- SYSLOG,LOCAL -->```

@mstarks01
Copy link
Contributor Author

Just wanted to add an update that this still doesn't work on a new install.

Non standard syslog message (size too large).

.. has no effect. That would have to be one big log!

@mstarks01
Copy link
Contributor Author

Another data point: if the overwrite rule is set to 0, it will indeed stop alerting. But the issue is that maxsize in the overwrite rule has no effect.

In this case, ossec.log will still record a copy of the message prepended with something like this: 2015/11/19 13:22:52 ossec-logcollector: Large message size(length=5887):

@dm00000
Copy link

dm00000 commented May 16, 2016

I can confirm that this is still an issue.

All error/event logs coming from Windows machines that hit this rule repeatedly will trigger the message. Changing the maxsize has no noticeable effect, either in the syslog_rules.xml or adding a new entry in the local_rules.xml file.

I've added some test messages that trigger the error regardless of size set. Each message is (2428, 1027, 5024 bytes respectively)

2016 May 11 14:39:41 WinEvtLog: Application: INFORMATION(3010): MSExchange ADAccess: (no user): no domain: EXHANGE-1234.net: Process MSExchangeMailboxReplication.exe (MSExchMbxRepl) (PID=9876). Current policies: PolicyType:ResourcePolicy;None:Discretionary:2147483645:2147483646:2147483647;None:InternalMaintenance:2147483645:2147483646:2147483647;None:CustomerExpectation:2147483645:2147483646:2147483647;None:Urgent:2147483645:2147483646:2147483647;;ActiveDirectoryReplicationLatency:MaxConcurrency:32767;ActiveDirectoryReplicationLatency:Discretionary:5:20:45;ActiveDirectoryReplicationLatency:InternalMaintenance:5:25:45;ActiveDirectoryReplicationLatency:CustomerExpectation:5:30:50;ActiveDirectoryReplicationLatency:Urgent:5:60:100;;MdbLatency:MaxConcurrency:10;MdbLatency:Discretionary:10000:20000:70000;MdbLatency:InternalMaintenance:10000:20000:70000;MdbLatency:CustomerExpectation:15000:30000:70000;MdbLatency:Urgent:25000:50000:100000;;Processor:MaxConcurrency:32767;Processor:Discretionary:70:80:100;Processor:InternalMaintenance:75:85:100;Processor:CustomerExpectation:80:90:100;Processor:Urgent:100:100:100;;MdbReplication:MaxConcurrency:10;MdbReplication:Discretionary:2097152:6291456:52428800;MdbReplication:InternalMaintenance:2097152:6291456:52428800;MdbReplication:CustomerExpectation:2097152:6291456:52428800;MdbReplication:Urgent:2097152:6291456:52428800;;CiAgeOfLastNotification:MaxConcurrency:32767;CiAgeOfLastNotification:Discretionary:60:180:240;CiAgeOfLastNotification:InternalMaintenance:120:180:300;CiAgeOfLastNotification:CustomerExpectation:180:240:600;CiAgeOfLastNotification:Urgent:240:300:600;;CiRetryQueueSize:MaxConcurrency:32767;CiRetryQueueSize:Discretionary:10000000:11000000:12000000;CiRetryQueueSize:InternalMaintenance:10000000:11000000:12000000;CiRetryQueueSize:CustomerExpectation:10000000:11000000:12000000;CiRetryQueueSize:Urgent:10000000:11000000:12000000;;MdbAvailability:MaxConcurrency:10;MdbAvailability:Discretionary:11534336:105906176:1048576000;MdbAvailability:InternalMaintenance:11534336:105906176:1048576000;MdbAvailability:CustomerExpectation:11534336:105906176:1048576000;MdbAvailability:Urgent:11534336:105906176:1048576000;;Remote:MaxConcurrency:10;Remote:Discretionary:2147483645:2147483646:2147483647;Remote:InternalMaintenance:2147483645:2147483646:2147483647;Remote:CustomerExpectation:2147483645:2147483646:2147483647;Remote:Urgent:2147483645:2147483646:2147483647;

2016 May 16 10:34:12 WinEvtLog: Security: AUDIT_SUCCESS(4648): Microsoft-Windows-Security-Auditing: (no user): no domain: EXHANGE-1234.net: A logon was attempted using explicit credentials. Subject: Security ID: S-1-2-34 Account Name: EXCHANGE$ Account Domain: CLEANEDDOMAIN Logon ID: 0x123 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ACCOUNTNAMEHASH Account Domain: 1234.NET Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: EXCHANGE.1234.net Additional Information: HTTP/EXCHANGE.1234.net Process Information: Process ID: 0xe48 Process Name: C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

2016 May 16 10:35:11 WinEvtLog: Application: ERROR(65535): Application: (no user): no domain: EXHANGE-1234.net: <TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord"; Severity="Error"><TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Channels.TcpConnectionResetError.aspx</TraceIdentifier><Description>The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:01:00'. The local IP address and port is [::1]:12345. The remote IP address and port is [::1]:678.</Description><AppDomain>MSExchangeFrontendTransport.exe</AppDomain><ExtendedData xmlns="http://schemas.microsoft.com/2006/08/ServiceModel/MessageTraceRecord"></ExtendedData><Exception><ExceptionType>System.ServiceModel.CommunicationException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:01:00'.</Message><StackTrace> at System.ServiceModel.Channels.SocketConnection.ConvertTransferException(SocketException socketException, TimeSpan timeout, Exception originalException, TransferOperation transferOperation, Boolean aborted, String timeoutErrorString, TransferOperation timeoutErrorTransferOperation, SocketConnection socketConnection, TimeSpan remainingTime) at System.ServiceModel.Channels.SocketConnection.ConvertSendException(SocketException socketException, TimeSpan remainingTime) at System.ServiceModel.Channels.SocketConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout) at System.ServiceModel.Channels.BufferedConnection.WriteNow(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout, BufferManager bufferManager) at System.ServiceModel.Channels.BufferedConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout) at System.ServiceModel.Channels.ConnectionStream.Write(Byte[] buffer, Int32 offset, Int32 count) at System.Net.Security.NegotiateStream.StartWriting(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.NegotiateStream.ProcessWrite(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.NegotiateStream.Write(Byte[] buffer, Int32 offset, Int32 count) at System.ServiceModel.Channels.StreamConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout) at System.ServiceModel.Channels.FramingDuplexSessionChannel.CloseOutputSessionCore(TimeSpan timeout) at System.ServiceModel.Channels.TransportDuplexSessionChannel.CloseOutputSession(TimeSpan timeout) at System.ServiceModel.Channels.TransportDuplexSessionChannel.OnClose(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Close(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.OnClose(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Close(TimeSpan timeout) at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor) at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments) at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) at System.ServiceModel.Channels.ServiceChannelProxy.ExecuteMessage(Object target, IMethodCallMessage methodCall) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeChannel(IMethodCallMessage methodCall) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp;amp; msgData, Int32 type) at System.ServiceModel.ICommunicationObject.Close() at Microsoft.Exchange.Net.WcfUtils.DisposeWcfClientGracefully(ICommunicationObject client, Boolean skipDispose) at Microsoft.Exchange.Net.ServiceProxyPool1.GetClient(Boolean useCache)
at Microsoft.Exchange.Net.ServiceProxyPool1.TryCallServiceWithRetry(Action1 action, String debugMessage, WCFConnectionStateTuple proxyToUse, Int32 numberOfRetries, Boolean doNotReturnProxyOnSuccess, Exception&amp; exception)
at Microsoft.Exchange.Data.Directory.ServiceTopologyProvider.GetTopologyVersions(IList1 partitionFqdns) at Microsoft.Exchange.Data.Directory.TopologyProvider.GetTopologyVersion(String partitionFqdn) at Microsoft.Exchange.Data.Directory.ConnectionPoolManager.CheckTopologyVersionForRebuild() at Microsoft.Exchange.Data.Directory.ConnectionPoolManager.GetConnection(ConnectionType connectionType, String partitionFqdn, ADObjectId domain, String serverName, Int32 port, NetworkCredential credential) at Microsoft.Exchange.Data.Directory.ConnectionPoolManager.GetConnection(ConnectionType connectionType, String partitionFqdn) at M

@ddpbsd
Copy link
Member

ddpbsd commented May 16, 2016

I see (without changing the rule):

**Phase 1: Completed pre-decoding.
       full event: '2016 May 11 14:39:41 WinEvtLog: Application: INFORMATION(3010): MSExchange ADAccess: (no user): no domain: EXHANGE-1234.net: Process MSExchangeMailboxReplication.exe (MSExchMbxRepl) (PID=9876). Current policies: PolicyType:ResourcePolicy;None:Discretionary:2147483645:2147483646:2147483647;None:InternalMaintenance:2147483645:2147483646:2147483647;None:CustomerExpectation:2147483645:2147483646:2147483647;None:Urgent:2147483645:2147483646:2147483647;;ActiveDirectoryReplicationLatency:MaxConcurrency:32767;ActiveDirectoryReplicationLatency:Discretionary:5:20:45;ActiveDirectoryReplicationLatency:InternalMaintenance:5:25:45;ActiveDirectoryReplicationLatency:CustomerExpectation:5:30:50;ActiveDirectoryReplicationLatency:Urgent:5:60:100;;MdbLatency:MaxConcurrency:10;MdbLatency:Discretionary:10000:20000:70000;MdbLatency:InternalMaintenance:10000:20000:70000;MdbLatency:CustomerExpectation:15000:30000:70000;MdbLatency:Urgent:25000:50000:100000;;Processor:MaxConcurrency:32767;Processor:Discretionary:70:80:100;Processor:InternalMaintenance:75:85:100;Processor:CustomerExpectation:80:90:100;Processor:Urgent:100:100:100;;MdbReplication:MaxConcurrency:10;MdbReplication:Discretionary:2097152:6291456:52428800;MdbReplication:InternalMaintenance:2097152:6291456:52428800;MdbReplication:CustomerExpectation:2097152:6291456:52428800;MdbReplication:Urgent:2097152:6291456:52428800;;CiAgeOfLastNotification:MaxConcurrency:32767;CiAgeOfLastNotification:Discretionary:60:180:240;CiAgeOfLastNotification:InternalMaintenance:120:180:300;CiAgeOfLastNotification:CustomerExpectation:180:240:600;CiAgeOfLastNotification:Urgent:240:300:600;;CiRetryQueueSize:MaxConcurrency:32767;CiRetryQueueSize:Discretionary:10000000:11000000:12000000;CiRetryQueueSize:InternalMaintenance:10000000:11000000:12000000;CiRetryQueueSize:CustomerExpectation:10000000:11000000:12000000;CiRetryQueueSize:Urgent:10000000:11000000:12000000;;MdbAvailability:MaxConcurrency:10;MdbAvailability:Discretionary:11534336:105906176:1048576000;MdbAvailability:InternalMaintenance:11534336:105906176:1048576000;MdbAvailability:CustomerExpectation:11534336:105906176:1048576000;MdbAvailability:Urgent:11534336:105906176:1048576000;;Remote:MaxConcurrency:10;Remote:Discretionary:2147483645:2147483646:2147483647;Remote:InternalMaintenance:2147483645:2147483646:2147483647;Remote:CustomerExpectation:2147483645:2147483646:2147483647;Remote:Urgent:2147483645:2147483646:2147483647;'
       hostname: 'ix'
       program_name: 'WinEvtLog'
       log: 'Application: INFORMATION(3010): MSExchange ADAccess: (no user): no domain: EXHANGE-1234.net: Process MSExchangeMailboxReplication.exe (MSExchMbxRepl) (PID=9876). Current policies: PolicyType:ResourcePolicy;None:Discretionary:2147483645:2147483646:2147483647;None:InternalMaintenance:2147483645:2147483646:2147483647;None:CustomerExpectation:2147483645:2147483646:2147483647;None:Urgent:2147483645:2147483646:2147483647;;ActiveDirectoryReplicationLatency:MaxConcurrency:32767;ActiveDirectoryReplicationLatency:Discretionary:5:20:45;ActiveDirectoryReplicationLatency:InternalMaintenance:5:25:45;ActiveDirectoryReplicationLatency:CustomerExpectation:5:30:50;ActiveDirectoryReplicationLatency:Urgent:5:60:100;;MdbLatency:MaxConcurrency:10;MdbLatency:Discretionary:10000:20000:70000;MdbLatency:InternalMaintenance:10000:20000:70000;MdbLatency:CustomerExpectation:15000:30000:70000;MdbLatency:Urgent:25000:50000:100000;;Processor:MaxConcurrency:32767;Processor:Discretionary:70:80:100;Processor:InternalMaintenance:75:85:100;Processor:CustomerExpectation:80:90:100;Processor:Urgent:100:100:100;;MdbReplication:MaxConcurrency:10;MdbReplication:Discretionary:2097152:6291456:52428800;MdbReplication:InternalMaintenance:2097152:6291456:52428800;MdbReplication:CustomerExpectation:2097152:6291456:52428800;MdbReplication:Urgent:2097152:6291456:52428800;;CiAgeOfLastNotification:MaxConcurrency:32767;CiAgeOfLastNotification:Discretionary:60:180:240;CiAgeOfLastNotification:InternalMaintenance:120:180:300;CiAgeOfLastNotification:CustomerExpectation:180:240:600;CiAgeOfLastNotification:Urgent:240:300:600;;CiRetryQueueSize:MaxConcurrency:32767;CiRetryQueueSize:Discretionary:10000000:11000000:12000000;CiRetryQueueSize:InternalMaintenance:10000000:11000000:12000000;CiRetryQueueSize:CustomerExpectation:10000000:11000000:12000000;CiRetryQueueSize:Urgent:10000000:11000000:12000000;;MdbAvailability:MaxConcurrency:10;MdbAvailability:Discretionary:11534336:105906176:1048576000;MdbAvailability:InternalMaintenance:11534336:105906176:1048576000;MdbAvailability:CustomerExpectation:11534336:105906176:1048576000;MdbAvailability:Urgent:11534336:105906176:1048576000;;Remote:MaxConcurrency:10;Remote:Discretionary:2147483645:2147483646:2147483647;Remote:InternalMaintenance:2147483645:2147483646:2147483647;Remote:CustomerExpectation:2147483645:2147483646:2147483647;Remote:Urgent:2147483645:2147483646:2147483647;'

**Phase 2: Completed decoding.
       No decoder matched.

**Phase 3: Completed filtering (rules).
       Rule id: '1003'
       Level: '13'
       Description: 'Non standard syslog message (size too large).'
**Alert to be generated.

After changing the rule:

**Phase 1: Completed pre-decoding.
       full event: '2016 May 11 14:39:41 WinEvtLog: Application: INFORMATION(3010): MSExchange ADAccess: (no user): no domain: EXHANGE-1234.net: Process MSExchangeMailboxReplication.exe (MSExchMbxRepl) (PID=9876). Current policies: PolicyType:ResourcePolicy;None:Discretionary:2147483645:2147483646:2147483647;None:InternalMaintenance:2147483645:2147483646:2147483647;None:CustomerExpectation:2147483645:2147483646:2147483647;None:Urgent:2147483645:2147483646:2147483647;;ActiveDirectoryReplicationLatency:MaxConcurrency:32767;ActiveDirectoryReplicationLatency:Discretionary:5:20:45;ActiveDirectoryReplicationLatency:InternalMaintenance:5:25:45;ActiveDirectoryReplicationLatency:CustomerExpectation:5:30:50;ActiveDirectoryReplicationLatency:Urgent:5:60:100;;MdbLatency:MaxConcurrency:10;MdbLatency:Discretionary:10000:20000:70000;MdbLatency:InternalMaintenance:10000:20000:70000;MdbLatency:CustomerExpectation:15000:30000:70000;MdbLatency:Urgent:25000:50000:100000;;Processor:MaxConcurrency:32767;Processor:Discretionary:70:80:100;Processor:InternalMaintenance:75:85:100;Processor:CustomerExpectation:80:90:100;Processor:Urgent:100:100:100;;MdbReplication:MaxConcurrency:10;MdbReplication:Discretionary:2097152:6291456:52428800;MdbReplication:InternalMaintenance:2097152:6291456:52428800;MdbReplication:CustomerExpectation:2097152:6291456:52428800;MdbReplication:Urgent:2097152:6291456:52428800;;CiAgeOfLastNotification:MaxConcurrency:32767;CiAgeOfLastNotification:Discretionary:60:180:240;CiAgeOfLastNotification:InternalMaintenance:120:180:300;CiAgeOfLastNotification:CustomerExpectation:180:240:600;CiAgeOfLastNotification:Urgent:240:300:600;;CiRetryQueueSize:MaxConcurrency:32767;CiRetryQueueSize:Discretionary:10000000:11000000:12000000;CiRetryQueueSize:InternalMaintenance:10000000:11000000:12000000;CiRetryQueueSize:CustomerExpectation:10000000:11000000:12000000;CiRetryQueueSize:Urgent:10000000:11000000:12000000;;MdbAvailability:MaxConcurrency:10;MdbAvailability:Discretionary:11534336:105906176:1048576000;MdbAvailability:InternalMaintenance:11534336:105906176:1048576000;MdbAvailability:CustomerExpectation:11534336:105906176:1048576000;MdbAvailability:Urgent:11534336:105906176:1048576000;;Remote:MaxConcurrency:10;Remote:Discretionary:2147483645:2147483646:2147483647;Remote:InternalMaintenance:2147483645:2147483646:2147483647;Remote:CustomerExpectation:2147483645:2147483646:2147483647;Remote:Urgent:2147483645:2147483646:2147483647;'
       hostname: 'ix'
       program_name: 'WinEvtLog'
       log: 'Application: INFORMATION(3010): MSExchange ADAccess: (no user): no domain: EXHANGE-1234.net: Process MSExchangeMailboxReplication.exe (MSExchMbxRepl) (PID=9876). Current policies: PolicyType:ResourcePolicy;None:Discretionary:2147483645:2147483646:2147483647;None:InternalMaintenance:2147483645:2147483646:2147483647;None:CustomerExpectation:2147483645:2147483646:2147483647;None:Urgent:2147483645:2147483646:2147483647;;ActiveDirectoryReplicationLatency:MaxConcurrency:32767;ActiveDirectoryReplicationLatency:Discretionary:5:20:45;ActiveDirectoryReplicationLatency:InternalMaintenance:5:25:45;ActiveDirectoryReplicationLatency:CustomerExpectation:5:30:50;ActiveDirectoryReplicationLatency:Urgent:5:60:100;;MdbLatency:MaxConcurrency:10;MdbLatency:Discretionary:10000:20000:70000;MdbLatency:InternalMaintenance:10000:20000:70000;MdbLatency:CustomerExpectation:15000:30000:70000;MdbLatency:Urgent:25000:50000:100000;;Processor:MaxConcurrency:32767;Processor:Discretionary:70:80:100;Processor:InternalMaintenance:75:85:100;Processor:CustomerExpectation:80:90:100;Processor:Urgent:100:100:100;;MdbReplication:MaxConcurrency:10;MdbReplication:Discretionary:2097152:6291456:52428800;MdbReplication:InternalMaintenance:2097152:6291456:52428800;MdbReplication:CustomerExpectation:2097152:6291456:52428800;MdbReplication:Urgent:2097152:6291456:52428800;;CiAgeOfLastNotification:MaxConcurrency:32767;CiAgeOfLastNotification:Discretionary:60:180:240;CiAgeOfLastNotification:InternalMaintenance:120:180:300;CiAgeOfLastNotification:CustomerExpectation:180:240:600;CiAgeOfLastNotification:Urgent:240:300:600;;CiRetryQueueSize:MaxConcurrency:32767;CiRetryQueueSize:Discretionary:10000000:11000000:12000000;CiRetryQueueSize:InternalMaintenance:10000000:11000000:12000000;CiRetryQueueSize:CustomerExpectation:10000000:11000000:12000000;CiRetryQueueSize:Urgent:10000000:11000000:12000000;;MdbAvailability:MaxConcurrency:10;MdbAvailability:Discretionary:11534336:105906176:1048576000;MdbAvailability:InternalMaintenance:11534336:105906176:1048576000;MdbAvailability:CustomerExpectation:11534336:105906176:1048576000;MdbAvailability:Urgent:11534336:105906176:1048576000;;Remote:MaxConcurrency:10;Remote:Discretionary:2147483645:2147483646:2147483647;Remote:InternalMaintenance:2147483645:2147483646:2147483647;Remote:CustomerExpectation:2147483645:2147483646:2147483647;Remote:Urgent:2147483645:2147483646:2147483647;'

**Phase 2: Completed decoding.
       No decoder matched.

What I added to my local_rules.xml:

  <rule id="1003" level="13" maxsize="4096" overwrite="yes">
    <description>Non standard syslog message (size too large).</description>
  </rule>

@dm00000
Copy link

dm00000 commented May 16, 2016

Ok, I did finally manage to get this working with the comment help above. Thank you.

echo "2016 May 11 14:39:41 WinEvtLog: Application: INFORMATION(3010): MSExchange ADAccess: (no user): no domain: EXHANGE-1234.net: Process MSExchangeMailboxReplication.exe (MSExchMbxRepl) (PID=9876). Current policies: PolicyType:ResourcePolicy;None:Discretionary:2147483645:2147483646:2147483647;None:InternalMaintenance:2147483645:2147483646:2147483647;None:CustomerExpectation:2147483645:2147483646:2147483647;None:Urgent:2147483645:2147483646:2147483647;;ActiveDirectoryReplicationLatency:MaxConcurrency:32767;ActiveDirectoryReplicationLatency:Discretionary:5:20:45;ActiveDirectoryReplicationLatency:InternalMaintenance:5:25:45;ActiveDirectoryReplicationLatency:CustomerExpectation:5:30:50;ActiveDirectoryReplicationLatency:Urgent:5:60:100;;MdbLatency:MaxConcurrency:10;MdbLatency:Discretionary:10000:20000:70000;MdbLatency:InternalMaintenance:10000:20000:70000;MdbLatency:CustomerExpectation:15000:30000:70000;MdbLatency:Urgent:25000:50000:100000;;Processor:MaxConcurrency:32767;Processor:Discretionary:70:80:100;Processor:InternalMaintenance:75:85:100;Processor:CustomerExpectation:80:90:100;Processor:Urgent:100:100:100;;MdbReplication:MaxConcurrency:10;MdbReplication:Discretionary:2097152:6291456:52428800;MdbReplication:InternalMaintenance:2097152:6291456:52428800;MdbReplication:CustomerExpectation:2097152:6291456:52428800;MdbReplication:Urgent:2097152:6291456:52428800;;CiAgeOfLastNotification:MaxConcurrency:32767;CiAgeOfLastNotification:Discretionary:60:180:240;CiAgeOfLastNotification:InternalMaintenance:120:180:300;CiAgeOfLastNotification:CustomerExpectation:180:240:600;CiAgeOfLastNotification:Urgent:240:300:600;;CiRetryQueueSize:MaxConcurrency:32767;CiRetryQueueSize:Discretionary:10000000:11000000:12000000;CiRetryQueueSize:InternalMaintenance:10000000:11000000:12000000;CiRetryQueueSize:CustomerExpectation:10000000:11000000:12000000;CiRetryQueueSize:Urgent:10000000:11000000:12000000;;MdbAvailability:MaxConcurrency:10;MdbAvailability:Discretionary:11534336:105906176:1048576000;MdbAvailability:InternalMaintenance:11534336:105906176:1048576000;MdbAvailability:CustomerExpectation:11534336:105906176:1048576000;MdbAvailability:Urgent:11534336:105906176:1048576000;;Remote:MaxConcurrency:10;Remote:Discretionary:2147483645:2147483646:2147483647;Remote:InternalMaintenance:2147483645:2147483646:2147483647;Remote:CustomerExpectation:2147483645:2147483646:2147483647;Remote:Urgent:2147483645:2147483646:2147483647;" | /var/ossec/bin/ossec-logtest -v

I think the issue may be with the JSON output. Despite the additions to the local_rules.xml file the JSON still lists Non standard syslog message (size too large) message. It's like the JSON formatter/parser is not respecting the local_rules.xml file. (this may be a separate issue all together)

@ellococareloco
Copy link

And how do I solve JSON? I already applied the local rule and it still does not work, I still generate the events.

@ddpbsd
Copy link
Member

ddpbsd commented Jun 14, 2017

@ellococareloco What version of OSSEC are you using? Where are you seeing the issue? Can you give me a sample?

@schleussinger
Copy link

schleussinger commented Feb 4, 2019
edited

here you go. Still happens for my mastodon JSON logging in OSSEC 3.1.0 , i had already tried to put into local_rules.xml:

<rule id="1003" level="13" maxsize="2000" overwrite="yes"> <description>Non standard syslog message (size too large).</description> </rule>

however, i still receive such alerts for messages of ~1250 chars :

Received From: (mastodon) xxx.xxx.xxx.xxx->/var/log/syslog Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)." Portion of the log(s): Feb 4 08:15:37 mastodon bundle[1037]: 2019-02-04T07:15:37.155Z 1037 TID-ovd90mvop WARN: {"context":"Job raised exception","job":{"class":"ActivityPub:eliveryWorker","args":["{\"@context\":[\"https://www.w3.org/ns/activitystreams\",\"https://w3id.org/security/v1\",{\"manuallyApprovesFollowers\":\"as:manuallyApprovesFollowers\",\"sensitive\":\"as:sensitive\",\"movedTo\":{\"@id\":\"as:movedTo\",\"@type\":\"@id\"},\"alsoKnownAs\":{\"@id\":\"as:alsoKnownAs\",\"@type\":\"@id\"},\"Hashtag\":\"as:Hashtag\",\"ostatus\":\"http://ostatus.org#\",\"atomUri\":\"ostatus:atomUri\",\"inReplyToAtomUri\":\"ostatus:inReplyToAtomUri\",\"conversation\":\"ostatus:conversation\",\"toot\":\"http://joinmastodon.org/ns#\",\"Emoji\":\"toot:Emoji\",\"focalPoint\":{\"@container\":\"@list\",\"@id\":\"toot:focalPoint\"},\"featured\":{\"@id\":\"toot:featured\",\"@type\":\"@id\"},\"schema\":\"http://schema.org#\",\"PropertyValue\":\"schemaropertyValue\",\"value\":\"schema:value\"}],\"id\":\"https://xxxxxxxxx.xxxxxx/users/itnewsbot/statuses/12345678912345678/activity\",\"type\":\"Create\",\"actor\":\"https://xxxxxxxxx.xxxxxx/users/itnewsbot\",\"published\":\"2019-02-04T07:15:05Z\",\"to\":[\"https://www.w3.org/ns/activitystreams#Public\"],\"cc\":[\"https://xxxxxxxxx.xxxxxx --END OF NOTIFICATION

thanks for any help in fixing this.

@jrossi jrossi closed this as completed Feb 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jrossi jrossi

Labels
bug Rules & Decoders
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@jrossi @mstarks01 @schleussinger @ddpbsd @dkade @dm00000 @ellococareloco