I know what is going on... Basically ossec does a duplicate check when it receives a message to see if it matches one of the last 3 logs received before. It is useful when the same message is stored in two different log files or when the same process log the same thing twice (like sshd parent and childs). In addition to that, it ignores the date and the pid portion of the log.
If you look at your messages, they are the exact same thing if we exclude the pid and the date... So ossec is treating them as duplicated and not counting in the alerts. sm-mta[]: ruleset=check_relay, arg1=[203.114.112.197], arg2=127.0.0.4, relay=[203.114.112.197], reject=553 5.3.0 Mail from 203.114.112.197 rejected;see:http://www.spamhaus.org/query/bl?ip= 203.114.112.197 sm-mta[]: ruleset=check_relay, arg1=[203.114.112.197], arg2=127.0.0.4, relay=[203.114.112.197], reject=553 5.3.0 Mail from 203.114.112.197 rejected;see:http://www.spamhaus.org/query/bl?ip= 203.114.112.197 sm-mta[]: ruleset=check_relay, arg1=[203.114.112.197], arg2=127.0.0.4, relay=[203.114.112.197], reject=553 5.3.0 Mail from 203.114.112.197 rejected;see:http://www.spamhaus.org/query/bl?ip= 203.114.112.197 We will come up with a fix for that soon. Maybe do a list of processes to do the duplicate check or something like that... Thanks for the report. -- Daniel B. Cid dcid ( at ) ossec.net On 10/11/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Sorry, after looking further into the old logs (the .gz ones), I've found that 203.114.112.197 fired rule "3103" and rule "103107" (for "421 4.3.2 Too many" and "421 4.3.2 Connection") but never fired "103157". In fact in the ossec log I get : - One alert for "3103" - 5 alerts for "103107" but if you look my mail.log from this example we get : - 4 "reject=553 5.3.0" - 8 "reject=421 4.3.2 Too many open connections" - 4 "reject=421 4.3.2 Connection rate limit exceeded" Didn't should I got 4+8+4 = 16 alerts ??? and 12 "103107" alerts should have been sufficient for firing rule "103157", no ? Thanks for help. Sioban
