Hi Göran, My understanding is that rule 1002 is a catch-all default rule for events which don't match any others. I would expect your rule to work if you remove the following:
<if_sid>1002</if_sid> Hope that helps. Jason On Wednesday, February 15, 2017 at 9:29:54 AM UTC-8, Göran Lundberg wrote: > > The original 1002 rule is still triggered and sent to my mail every day. > My rule is ignored for some reason. > > Victor Fernandez <vic...@wazuh.com <javascript:>> skrev: (15 februari > 2017 18:04:05 CET) >> >> Hi, >> >> I think that your configuration is correct. What's exactly the problem >> that you have? I mean, is the rule 1002 still appearing even with that >> message, or does the rule 3752 appear at the alert log? >> >> Best regards. >> >> On Tue, Feb 14, 2017 at 4:11 PM, <secu...@lundberg.email <javascript:>> >> wrote: >> >>> Hi! I'm trying to remove these notifications from mailscanner. >>> >>> >>> OSSEC HIDS Notification. >>> 2017 Feb 14 06:29:41 >>> >>> Received From: hostname->/var/log/syslog >>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >>> Portion of the log(s): >>> >>> Feb 14 06:29:39 hostname update.bad.phishing.sites: Phishing bad sites >>> list updated >>> >>> >>> --END OF NOTIFICATION >>> >>> >>> I've tried to make a rule for it but it's not working. Any help is >>> appreciated! >>> >>> <rule id="3752" level="0"> >>> <if_sid>1002</if_sid> >>> <match>update.bad.phishing.sites: Phishing bad sites list updated</match> >>> <description>Ignore mailscanner update messages.</description> >>> </rule> >>> >>> -- >>> Göran Lundberg >>> -- >>> This message has been scanned for viruses and >>> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and >>> is >>> believed to be clean. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com <javascript:>. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> >> -- >> Victor M. Fernandez-Castro >> IT Security Engineer >> Wazuh Inc. >> >> > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is > believed to be clean. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
