Hi Kayvan,
These rules are trickier to change. Because they are meant as a catch-all to
find possible problems that our rules would miss. In addition to that, depending
on the rules, the "bad" may be after a comma or between quotes or in many
other ways. To fix that, the easier way is to add a rule for the
"spamd: checking
message" log as level 0 (not security relevant).
Try adding the following rule in your spamd_rules.xml:
<rule id="2902" level="0">
<if_sid>2900</if_sid>
<match> checking message </match>
<description>Spamd debug event (reading message).</description>
<rule>
It should fix this problem.
Thanks,
--
Daniel B. Cid
dcid @ ( at ) ossec.net
On 6/11/06, Kayvan A. Sylvan <[EMAIL PROTECTED]> wrote:
> I frequently get these types of alert notifications from OSSEC-HIDS.
>
> ----- Forwarded message from OSSEC HIDS <[EMAIL PROTECTED]> -----
>
> OSSEC HIDS Notification.
> 2006 Jun 11 14:29:53
>
> Received From: satyr->/var/log/maillog
> Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
> Portion of the log(s):
>
> spamd[1433]: checking message <[EMAIL PROTECTED]> for nobody:99.
>
> ----- End forwarded message -----
>
> The problem is that the string "BAD" is found in the above.
>
> Maybe if we say that the match must be surrounded by whitespace then
> the above kind of misfire can be minimized?
>
> ---Kayvan
> --
> Kayvan A. Sylvan | Proud husband of | Father to my kids:
> Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
> http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
>
>
>
--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---
