Hi, I think that your configuration is correct. What's exactly the problem that you have? I mean, is the rule 1002 still appearing even with that message, or does the rule 3752 appear at the alert log?
Best regards. On Tue, Feb 14, 2017 at 4:11 PM, <security@lundberg.email> wrote: > Hi! I'm trying to remove these notifications from mailscanner. > > > OSSEC HIDS Notification. > 2017 Feb 14 06:29:41 > > Received From: hostname->/var/log/syslog > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Feb 14 06:29:39 hostname update.bad.phishing.sites: Phishing bad sites > list updated > > > --END OF NOTIFICATION > > > I've tried to make a rule for it but it's not working. Any help is > appreciated! > > <rule id="3752" level="0"> > <if_sid>1002</if_sid> > <match>update.bad.phishing.sites: Phishing bad sites list updated</match> > <description>Ignore mailscanner update messages.</description> > </rule> > > -- > Göran Lundberg > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is > believed to be clean. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.