On Sunday 01 October 2006 03:17, [EMAIL PROTECTED] wrote: Hello, I tried that and I am getting the same messages. Perhaps its the IP since the messages seem to come tagged as from the router rather than local IP.
> Put : level="0" instead of level="7" > > Francesca Smith a écrit : > > Hiya, > > > > I am getting tons of these messages from my name servers. I run several > > hosting companys and these are all departed customers who have not > > updated dns to point at new servers or just have domains specified with > > our nameservers but no local zones set up on our nameservers. This > > meaning these messages are much ado about nothing but the key word > > "denied" triggers correctly a generic notification. > > > > Received From: (LLCP) XXX.XXX.XXX.XXX->/var/log/messages > > Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." > > Portion of the log(s): > > > > named[12637]: client XXX.XXX.XXX.XXX#32769: query > > (cache) 'somedomain.com/MX/IN' denied > > > > So I created the below custom rule to filter out these "Semi" false > > positives. > > > > <rule id="100020" level="7"> > > <if_sid>1002</if_sid> > > <srcip>XXX.XXX.XXX.XXX</srcip> > > <match>query (cache)</match> > > <description>Ignoring Bind Chatter</description> > > </rule> > > > > > > I think I am not getting the instructions for excluding false positives. > > Any suggestions will be welcomed :-) The "srcip" is set to the ip of the > > ossec agent server generating these notifications. -- Kindest Regards, Francesca Smith "No Problems Only Solutions" Lady Linux Internet Services Baltimore, Maryland 21217
