Hi.
I was using ossec 0.9.x without problem and decided to upgrade to 1.0.
This rules was working :
<rule id="109999" level="0">
<if_sid>1002</if_sid>
<regex>Error strings? : yes|mimedefang.pl[\d+]:
MDLOG,\w+,mail_in|mimedefang.pl[\d+]:
MDLOG,\w+,modify||mimedefang.pl[\d+]: MDLOG,\w+,spam|: don't print any
messag
es or errors|mlnet_error|smartd[\d+]: Device: /dev/hde, SMART Prefailure
Attribute: 8 Seek_Time_Performance changed from 252 to 253|smartd[\d+]:
Device: /dev/hde, SMART
Prefailure Attribute: 8 Seek_Time_Performance changed from 253 to
252|Unable to connect to shock.cloudmark.com|mimedefang.pl[\d+]:
MDLOG,\w+,drop,Bad html: Image cidN</regex>
<description>Events ignored</description>
</rule>
But since 1.0 it seems that it doesn't anymore :
- Jan 19 09:15:08 shax mimedefang.pl[11406]: MDLOG,l0J8EflD010567,modify,CHANGE NOTIMG Not
image http://adserver.adtech.de/adserv|3.0|224|135569|0|1|ADTECH;grp=1;loc=300; CHANGE
NOTIMG Not image http://mirror.apec.fr/r/?id=hbb27cc%2C4339828%2C1 ,,<[EMAIL
PROTECTED]>,<[EMAIL PROTECTED]>,12 Offre(s) xxxx du 19/01/2007
-> Should have been catched by "mimedefang.pl[\d+]: MDLOG,\w+,modify"
- Jan 18 17:14:02 shax mimedefang.pl[25011]: MDLOG,l0IGDBvv011712,mail_in,,,<[EMAIL
PROTECTED]>,<[EMAIL PROTECTED]>,[mod-security-users] Bad Gateway
- Jan 19 09:15:31 shax mimedefang.pl[11406]: MDLOG,l0J8EflD010567,mail_in,,,<[EMAIL
PROTECTED]>,<[EMAIL PROTECTED]>,12 Offre(s) xxxx du 19/01/2007
-> Should have been catched by "mimedefang.pl[\d+]: MDLOG,\w+,mail_in"
I've noted that I have "||" in the regex, just after the "modify" keyword.
Maybe that's the problem, I've removed it now and I'll see if it happens again.
Bye.
Sioban
