When Ossec send an email with several alerts inside, the level of the first one is inserted in the Subject of the mail. IMHO it should insert the Highest level of alert in the Subject. It's especially a problem when multiples alerts of the same type are triggered : Return-Path: <[EMAIL PROTECTED]> Received: from xxxxx.xxxx.net (xxxx.xxxx.net [xx.xx.xx.53]) by xxxx.xxxx.net (envelope-from [EMAIL PROTECTED]) (8.13.8/8.13.8/Debian-2) with ESMTP id k8F7Dw7k007618 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <[EMAIL PROTECTED]>; Fri, 15 Sep 2006 09:14:04 +0200 Received: from notify.ossec.net (localhost.localdomain [127.0.0.1]) by xxxxx.xxxx.net (8.13.4/8.13.4/Debian-3sarge3) with SMTP id k8F797Lt014109 for <[EMAIL PROTECTED]>; Fri, 15 Sep 2006 09:09:07 +0200 Message-Id: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> From: OSSEC HIDS <[EMAIL PROTECTED]> Date: Fri, 15 Sep 2006 09:09:07 CEST Subject: OSSEC Notification - yyyy - Alert level 7 X-Virus-Scanned-By: xxxx.xxxx.net, using SOPHIE & CLAMD X-Spam-Scanned-By: xxxx.xxxx.net, using SpamAssassin 3.1.4 (hard limit 5) X-Spam-Flag: No X-Spam-Info: -9.865; BAYES_00,FORGED_RCVD_HELO X-Scanned-By: MIMEDefang 2.57 on 10.XX.XX.1 OSSEC HIDS Notification. 2006 Sep 15 09:08:47 Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod Security." Portion of the log(s): [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] --END OF NOTIFICATION OSSEC HIDS Notification. 2006 Sep 15 09:08:51 Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod Security." Portion of the log(s): [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] --END OF NOTIFICATION OSSEC HIDS Notification. 2006 Sep 15 09:08:53 Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod Security." Portion of the log(s): [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] --END OF NOTIFICATION OSSEC HIDS Notification. 2006 Sep 15 09:08:55 Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod Security." Portion of the log(s): [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] --END OF NOTIFICATION OSSEC HIDS Notification. 2006 Sep 15 09:08:55 Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod Security." Portion of the log(s): [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] --END OF NOTIFICATION OSSEC HIDS Notification. 2006 Sep 15 09:08:55 Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod Security." Portion of the log(s): [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] --END OF NOTIFICATION OSSEC HIDS Notification. 2006 Sep 15 09:08:55 Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod Security." Portion of the log(s): [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] --END OF NOTIFICATION OSSEC HIDS Notification. 2006 Sep 15 09:08:55 Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log Rule: 130118 fired (level 14) -> "Multiple attempts blocked by Mod Security" Portion of the log(s): [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] --END OF NOTIFICATION OSSEC HIDS Notification. 2006 Sep 15 09:08:55 Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod Security." Portion of the log(s): [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] --END OF NOTIFICATION OSSEC HIDS Notification. 2006 Sep 15 09:08:55 Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log Rule: 130118 fired (level 14) -> "Multiple attempts blocked by Mod Security" Portion of the log(s): [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] --END OF NOTIFICATION OSSEC HIDS Notification. 2006 Sep 15 09:08:55 Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod Security." Portion of the log(s): [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] --END OF NOTIFICATION
