On Mon, Dec 10, 2012 at 12:53 PM, Scott wa6...@gmail.com wrote:
I'm having trouble making a rule to eliminate this false positive, rule 1002
is kicking in:
sendmail[24167]: qBAHj1gY023631: to=fatal-err...@example.com,
delay=00:00:06, xdelay=00:00:05, mailer=esmtp, pri=120705,
On Tue, Dec 11, 2012 at 5:03 PM, Scott Nelson wa6...@gmail.com wrote:
On Dec 11, 2012, at 3:55 PM, dan (ddp) wrote:
On Mon, Dec 10, 2012 at 12:53 PM, Scott wa6...@gmail.com wrote:
I'm having trouble making a rule to eliminate this false positive, rule 1002
is kicking in:
sendmail[24167]:
On Dec 11, 2012, at 4:16 PM, dan (ddp) wrote:
You could match on the fatal-errors@blahblah as above, but set the
level higher. Then create a child rule matching the Ok: queued bit.
Sure. Thank's a lot for your help, Dan.
Scott
Hello,
rule 1002 is showing up when it match some bad words
here I think it match errors in the mail address. The bad words is
configured on the rule's file.
One solution is to create an exception for this case (maybe not the best)
Regards,
Hugo
On 10 December 2012 18:53, Scott
Um - error and fatal both occur there, so what you really want to do is not
alert on the string fatal-errors@. (Who ever creates a mail username of
fatal-errors? Must be an example.com issue.)
This was one of the first things I ever had to do in locally configuring rules
for OSSEC. This is
On Mon, 10 Dec 2012 09:53:17 -0800 (PST) Scott wa6...@gmail.com wrote:
I'm having trouble making a rule to eliminate this false positive,
rule 1002 is kicking in:
sendmail[24167]: qBAHj1gY023631: to=fatal-err...@example.com,
delay=00:00:06, xdelay=00:00:05, mailer=esmtp, pri=120705,