Hi Daniel, You got very closed with the second rule. Just change it to:
<rule id="81010" level="0"> <match>t_able_to_establish_an_SMTP_connection._(#4.4.1)</match> </rule> <rule id="81011" level="10" frequency="3" timeframe="60"> <if_matched_sid>81010</if_matched_sid> <description>Qmail te problemes per enviar...</description> </rule> Whenever you want to look on multiple events, always use the if_matched_sid or if_matched_group. This document can be helpful to understand it: http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/10/07, Daniel Rubio <[EMAIL PROTECTED]> wrote: > > Hi > > First, congrats by OSSEC, it's a wonderful tool!! > Now the question :D > > I'm trying to write a "simple" rule to detect if our mail server is > having problems to send mails outside. > We use qmail, which uses tai64 to register time, but I've done a simple > script to transform the file values to human readable format: > > 2007-10-10 11:04:35.314480500 delivery 5263203: deferral: > Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/ > > The rule is as follows: > > <rule id="81011" level="10" frequency="5" timeframe="120"> > <match>t_able_to_establish_an_SMTP_connection._(#4.4.1)</match> > <description>Qmail te problemes per enviar...</description> > </rule> > > But it does'nt fire (I've checked that it would have to do)... > > I've also tried with: > > <rule id="81010" level="0"> > <match>t_able_to_establish_an_SMTP_connection._(#4.4.1)</match> > </rule> > <rule id="81011" level="10" frequency="3" timeframe="60"> > <if_sid>81010</if_sid> > <description>Qmail te problemes per enviar...</description> > </rule> > > But nothing happens, I'he only been able to hit the simple rule (without > timeframe)... > > It's necessary to put an if_matched_sid or if_sid int the > frequency-timeframe rules or it could be only with a simple match > sentence (like the first one)? > In case it's necessary, I've to put other rule below this if? what if > the thing I want to catch has been caught previously? > Could be the problem the time format reurned by tai64nlocal (2007-10-10 > 11:49:33.204450500) ? > > Thanks in advance > > > > -- > ******************************************************** > Daniel Rubio Rodríguez > OASI (Organisme Autònom Per la Societat de la Informació) > c/ Assalt, 12 > 43003 - Tarragona > Tef.: 977.244.007 - Fax: 977.224.517 > e-mail: drubio a oasi.org > ******************************************************** > > >
