[ossec-list] OpenWebMail and false alerts?

[Albert Croft <acroft@xxxxxxxxxxxxxxxx>]

I have a server on which OpenWebMail (OWM) is running to provide webmail
access, and on which OSSEC is running in local mode. I have noticed a
number of false positive results that appear to be triggered by the
syslog "message too long" rule hitting on the access_log entries from
OWM. ( access_log is located at /var/log/httpd/access_log ). ddcciidd in
#ossec on freenode suggested I submit example log entries and
notifications, to help improve the rules. Attached are the notifications
I have received today, as well as the access_log entries related to OWM
that I could find (tar-gzipped, separated by v-site).

Please let me know if you need additional information.

-Albert C.

Attachment: 20070806.access_log.openwebmail.tar.gz
Description: GNU Zip compressed data

--- Begin Message ---

• To: <ac.ids.not@xxxxxxxxxxxxx>
• Subject: OSSEC Notification - inhouse68 - Alert level 8
• From: OSSEC HIDS <ossecm@xxxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 06 Aug 2007 12:55:55 EDT

OSSEC HIDS Notification.
2007 Aug 06 12:55:43

Received From: inhouse68->/var/log/maillog
Rule: 11 fired (level 8) -> "Excessive number of events (above normal)."
Portion of the log(s):

The average number of logs between 12:00 and 13:00 is 12797. We reached 16638.



 --END OF NOTIFICATION

--- End Message ---

--- Begin Message ---

• To: <ac.ids.not@xxxxxxxxxxxxx>
• Subject: OSSEC Notification - inhouse68 - Alert level 13
• From: OSSEC HIDS <ossecm@xxxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 06 Aug 2007 13:03:20 EDT

OSSEC HIDS Notification.
2007 Aug 06 13:03:07

Received From: inhouse68->/var/log/httpd/access_log
Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."
Portion of the log(s):

mail.ethhc.com 65.212.202.130 - - [06/Aug/2007:12:03:06 -0500] "GET /cgi-bin/openwebmail/openwebmail-main.pl?sessionid=bconner*mail.ethhc.com-session-0.722400802959786&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&action=movemessage&message_ids=%3C200707201727.l6KHRB6a009935%40inhouse68.groupm7.com%3E&message_id=%3CKilauea287283-13995-232626365-1-1001%40flonetwork.com%3E&destination=mail-trash&headers=simple&attmode=simple&messageaftermove=1 HTTP/1.1" 302 - "http://mail.ethhc.com/cgi-bin/openwebmail/openwebmail-read.pl?sessionid=bconner*mail.ethhc.com-session-0.722400802959786&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&message_id=%3C200707201727.l6KHRB6a009935%40inhouse68.groupm7.com%3E&action=readmessage&headers=simple&attmode=simple&db_chkstatus=1"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"



 --END OF NOTIFICATION

--- End Message ---

--- Begin Message ---

• To: <ac.ids.not@xxxxxxxxxxxxx>
• Subject: OSSEC Notification - inhouse68 - Alert level 13
• From: OSSEC HIDS <ossecm@xxxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 06 Aug 2007 13:18:50 EDT

OSSEC HIDS Notification.
2007 Aug 06 13:18:36

Received From: inhouse68->/var/log/httpd/access_log
Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."
Portion of the log(s):

mail.premier-getfit.com 204.115.94.51 - - [06/Aug/2007:12:18:35 -0500] "GET /cgi-bin/openwebmail/openwebmail-send.pl?sessionid=jonathan*mail.premier-getfit.com-session-0.924653968847455&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&message_id=%3C8FC26B11B983D44081DB31C173F544DA34B43B%40postman.iconfitness.com%3E&showhtmlastext=1&compose_caller=read&action=composemessage&composetype=reply&convfrom=none.iso-8859-1 HTTP/1.0" 200 21849 "http://mail.premier-getfit.com/cgi-bin/openwebmail/openwebmail-read.pl?sessionid=jonathan*mail.premier-getfit.com-session-0.924653968847455&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&message_id=%3C8FC26B11B983D44081DB31C173F544DA34B43B%40postman.iconfitness.com%3E&action=readmessage&headers=simple&attmode=simple"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"



 --END OF NOTIFICATION

--- End Message ---

--- Begin Message ---

• To: <ac.ids.not@xxxxxxxxxxxxx>
• Subject: OSSEC Notification - inhouse68 - Alert level 13
• From: OSSEC HIDS <ossecm@xxxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 06 Aug 2007 13:19:05 EDT

OSSEC HIDS Notification.
2007 Aug 06 13:18:54

Received From: inhouse68->/var/log/httpd/access_log
Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."
Portion of the log(s):

mail.premier-getfit.com 204.115.94.51 - - [06/Aug/2007:12:18:51 -0500] "POST /cgi-bin/openwebmail/openwebmail-send.pl?sessionid=jonathan*mail.premier-getfit.com-session-0.924653968847455&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&message_id=%3C8FC26B11B983D44081DB31C173F544DA34B43B%40postman.iconfitness.com%3E&showhtmlastext=1&compose_caller=read&action=composemessage&composetype=reply&convfrom=none.iso-8859-1 HTTP/1.0" 302 - "http://mail.premier-getfit.com/cgi-bin/openwebmail/openwebmail-send.pl?sessionid=jonathan*mail.premier-getfit.com-session-0.924653968847455&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&message_id=%3C8FC26B11B983D44081DB31C173F544DA34B43B%40postman.iconfitness.com%3E&showhtmlastext=1&compose_caller=read&action=composemessage&composetype=reply&convfrom=none.iso-8859-1"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"



 --END OF NOTIFICATION

--- End Message ---

--- Begin Message ---

• To: <ac.ids.not@xxxxxxxxxxxxx>
• Subject: OSSEC Notification - inhouse68 - Alert level 13
• From: OSSEC HIDS <ossecm@xxxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 06 Aug 2007 14:11:39 EDT

OSSEC HIDS Notification.
2007 Aug 06 14:11:28

Received From: inhouse68->/var/log/httpd/access_log
Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."
Portion of the log(s):

mail.ethhc.com 65.212.202.130 - - [06/Aug/2007:13:11:27 -0500] "POST /cgi-bin/openwebmail/openwebmail-send.pl?sessionid=sbest*mail.ethhc.com-session-0.571230619055317&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&message_id=%3Cb0sge8yb2c1byjbfp4p54bxj29149e%40mta306.exprpt.com%3E&showhtmlastext=1&compose_caller=read&action=composemessage&composetype=forward&convfrom=none.iso-8859-1 HTTP/1.1" 302 - "http://mail.ethhc.com/cgi-bin/openwebmail/openwebmail-send.pl?sessionid=sbest*mail.ethhc.com-session-0.571230619055317&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&message_id=%3Cb0sge8yb2c1byjbfp4p54bxj29149e%40mta306.exprpt.com%3E&showhtmlastext=1&compose_caller=read&action=composemessage&composetype=forward&convfrom=none.iso-8859-1"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"



 --END OF NOTIFICATION

--- End Message ---

--- Begin Message ---

• To: <ac.ids.not@xxxxxxxxxxxxx>
• Subject: OSSEC Notification - inhouse68 - Alert level 13
• From: OSSEC HIDS <ossecm@xxxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 06 Aug 2007 14:16:39 EDT

OSSEC HIDS Notification.
2007 Aug 06 14:16:27

Received From: inhouse68->/var/log/httpd/access_log
Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."
Portion of the log(s):

mail.premier-getfit.com 204.115.94.51 - - [06/Aug/2007:13:16:25 -0500] "GET /cgi-bin/openwebmail/openwebmail-main.pl?sessionid=kkinard*mail.premier-getfit.com-session-0.510241782832058&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&action=movemessage&message_ids=%3C20070803134214.931016%40rockymountainatv.com%3E&message_id=%3C200708021932.l72JWD38001121%40inhouse68.groupm7.com%3E&destination=mail-trash&headers=simple&attmode=simple&messageaftermove=1 HTTP/1.0" 302 - "http://mail.premier-getfit.com/cgi-bin/openwebmail/openwebmail-read.pl?sessionid=kkinard*mail.premier-getfit.com-session-0.510241782832058&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&message_id=%3C20070803134214.931016%40rockymountainatv.com%3E&action=readmessage&headers=simple&attmode=simple&db_chkstatus=1"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"



 --END OF NOTIFICATION

--- End Message ---