On Monday 02 October 2006 14:39, Daniel Cid wrote: Hi Daniel, Working perfectly now :-)
My alerts inbox thanks you and my sanity thanks you also :-) > Hi Francesca, > > Just remove the "srcip" option and it will work. The srcip is populated > from the log itself, but in this case, we are not extracting it in the > decoders. > > Final rule: > <rule id="100020" level="0"> > <if_sid>1002</if_sid> > <match>query (cache)</match> > <description>Ignoring Bind Chatter</description> > </rule> > > Hope it helps.. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On 10/1/06, Francesca Smith <[EMAIL PROTECTED]> wrote: > > On Sunday 01 October 2006 03:17, [EMAIL PROTECTED] wrote: > > Hello, > > > > I tried that and I am getting the same messages. Perhaps its the IP since > > the messages seem to come tagged as from the router rather than local IP. > > > > > Put : level="0" instead of level="7" > > > > > > Francesca Smith a écrit : > > > > Hiya, > > > > > > > > I am getting tons of these messages from my name servers. I run > > > > several hosting companys and these are all departed customers who > > > > have not updated dns to point at new servers or just have domains > > > > specified with our nameservers but no local zones set up on our > > > > nameservers. This meaning these messages are much ado about nothing > > > > but the key word "denied" triggers correctly a generic notification. > > > > > > > > Received From: (LLCP) XXX.XXX.XXX.XXX->/var/log/messages > > > > Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the > > > > system." Portion of the log(s): > > > > > > > > named[12637]: client XXX.XXX.XXX.XXX#32769: query > > > > (cache) 'somedomain.com/MX/IN' denied > > > > > > > > So I created the below custom rule to filter out these "Semi" false > > > > positives. > > > > > > > > <rule id="100020" level="7"> > > > > <if_sid>1002</if_sid> > > > > <srcip>XXX.XXX.XXX.XXX</srcip> > > > > <match>query (cache)</match> > > > > <description>Ignoring Bind Chatter</description> > > > > </rule> > > > > > > > > > > > > I think I am not getting the instructions for excluding false > > > > positives. Any suggestions will be welcomed :-) The "srcip" is set to > > > > the ip of the ossec agent server generating these notifications. > > > > -- > > Kindest Regards, > > > > Francesca Smith > > > > "No Problems Only Solutions" > > Lady Linux Internet Services > > Baltimore, Maryland 21217 -- Kindest Regards, Francesca Smith "No Problems Only Solutions" Lady Linux Internet Services Baltimore, Maryland 21217
