Hi Francesca,
Just remove the "srcip" option and it will work. The srcip is populated from the log itself, but in this case, we are not extracting it in the decoders. Final rule: <rule id="100020" level="0"> <if_sid>1002</if_sid> <match>query (cache)</match> <description>Ignoring Bind Chatter</description> </rule> Hope it helps.. -- Daniel B. Cid dcid ( at ) ossec.net On 10/1/06, Francesca Smith <[EMAIL PROTECTED]> wrote:
On Sunday 01 October 2006 03:17, [EMAIL PROTECTED] wrote: Hello, I tried that and I am getting the same messages. Perhaps its the IP since the messages seem to come tagged as from the router rather than local IP. > Put : level="0" instead of level="7" > > Francesca Smith a écrit : > > Hiya, > > > > I am getting tons of these messages from my name servers. I run several > > hosting companys and these are all departed customers who have not > > updated dns to point at new servers or just have domains specified with > > our nameservers but no local zones set up on our nameservers. This > > meaning these messages are much ado about nothing but the key word > > "denied" triggers correctly a generic notification. > > > > Received From: (LLCP) XXX.XXX.XXX.XXX->/var/log/messages > > Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." > > Portion of the log(s): > > > > named[12637]: client XXX.XXX.XXX.XXX#32769: query > > (cache) 'somedomain.com/MX/IN' denied > > > > So I created the below custom rule to filter out these "Semi" false > > positives. > > > > <rule id="100020" level="7"> > > <if_sid>1002</if_sid> > > <srcip>XXX.XXX.XXX.XXX</srcip> > > <match>query (cache)</match> > > <description>Ignoring Bind Chatter</description> > > </rule> > > > > > > I think I am not getting the instructions for excluding false positives. > > Any suggestions will be welcomed :-) The "srcip" is set to the ip of the > > ossec agent server generating these notifications. -- Kindest Regards, Francesca Smith "No Problems Only Solutions" Lady Linux Internet Services Baltimore, Maryland 21217
