Hi
First, congrats by OSSEC, it's a wonderful tool!!
Now the question :D
I'm trying to write a "simple" rule to detect if our mail server is
having problems to send mails outside.
We use qmail, which uses tai64 to register time, but I've done a simple
script to transform the file values to human readable format:
2007-10-10 11:04:35.314480500 delivery 5263203: deferral:
Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
The rule is as follows:
<rule id="81011" level="10" frequency="5" timeframe="120">
<match>t_able_to_establish_an_SMTP_connection._(#4.4.1)</match>
<description>Qmail te problemes per enviar...</description>
</rule>
But it does'nt fire (I've checked that it would have to do)...
I've also tried with:
<rule id="81010" level="0">
<match>t_able_to_establish_an_SMTP_connection._(#4.4.1)</match>
</rule>
<rule id="81011" level="10" frequency="3" timeframe="60">
<if_sid>81010</if_sid>
<description>Qmail te problemes per enviar...</description>
</rule>
But nothing happens, I'he only been able to hit the simple rule (without
timeframe)...
It's necessary to put an if_matched_sid or if_sid int the
frequency-timeframe rules or it could be only with a simple match
sentence (like the first one)?
In case it's necessary, I've to put other rule below this if? what if
the thing I want to catch has been caught previously?
Could be the problem the time format reurned by tai64nlocal (2007-10-10
11:49:33.204450500) ?
Thanks in advance
--
********************************************************
Daniel Rubio Rodríguez
OASI (Organisme Autònom Per la Societat de la Informació)
c/ Assalt, 12
43003 - Tarragona
Tef.: 977.244.007 - Fax: 977.224.517
e-mail: drubio a oasi.org
********************************************************
