[ossec-list] Re: Amavis Maia spamassassin

Fri, 14 Dec 2007 15:36:27 -0800 

Hi,

i fix the problem with this rule in local_rules:

<!-- Mail/Amavis messages --
>
<group
name="syslog,mail,">
    <rule id="100031"
level="0">
        <program_name>^amavis</
program_name>
        <description>Ignoring amavis messages.</
description>
    </
rule>
</
group>
<!-- SYSLOG,POSTFIX,AMAVIS,MAIA -->

ossec stop send mail all minute, but is a good rule? don't have a
problem?


On Dec 14, 9:42 am, "Kivanio Barbosa" <[EMAIL PROTECTED]> wrote:
> Hi!,
>
> i'm starting with ossec on freebsd 6.2 machine.
>
> but when ossec start, it sent  mail  every minute about  log  in maillog,
> because MAIA+AMAVIS make a very extensive log,
> and then match with rule 1002 and 1003.
> in the rule 1003 i fix  with  big maxsize, but i  don't think this a good
> ideia.
>
>  <rule id="1002"
> level="2">
>
> <match>$BAD_WORDS</match>
>
> <options>alert_by_email</options>
>     <description>Unknown problem somewhere in the
> system.</description>
>
> </rule>
>
>   <rule id="1003" level="13"
> maxsize="20856">
>     <description>Non standard syslog message (size too
> large).</description>
>   </rule>
>
> how to make to fix this problem?
> create a new rule?
> exist one rule about it?
> anybody has this rule or problem?
>
> Received From: capitao->/var/log/maillog
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Dec 14 08:16:28 capitao amavis[80589]: (80589-10) Maia: [read_system_config]
> Bad header checking is ENABLED
>
> Received From: capitao->/var/log/maillog
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Dec 14 08:16:04 capitao amavis[80635]: (80635-10) extra modules loaded:
> /usr/local/etc/mail/spamassassin/FuzzyOcr.pm,
> /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/autosplit.ix,
> /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/inet_any2n.al,
> /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/inet_n2dx.al,
> /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/ipv6_aton.al,
> /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/ipv6_n2d.al,
> /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/autosplit.ix,
> Crypt/Blowfish.pm, Crypt/CBC.pm, Error.pm, Mail/SPF.pm, Mail/SPF/Base.pm,
> Mail/SPF/Exception.pm, Mail/SPF/MacroString.pm, Mail/SPF/Mech.pm,
> Mail/SPF/Mech/A.pm, Mail/SPF/Mech/All.pm, Mail/SPF/Mech/Exists.pm,
> Mail/SPF/Mech/IP4.pm, Mail/SPF/Mech/IP6.pm, Mail/SPF/Mech/Include.pm,
> Mail/SPF/Mech/MX.pm, Mail/SPF/Mech/PTR.pm, Mail/SPF/Mod.pm,
> Mail/SPF/Mod/Exp.pm, Mail/SPF/Mod/Redirect.pm, Mail/SPF/Record.pm,
> Mail/SPF/Re
> quest.pm, Mail/SPF/Result....
>
> complete log:
>
> mavis[80841]: (80841-08) extra modules loaded:
> /usr/local/etc/mail/spamassassin/FuzzyOcr.pm,
> /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/autosplit.ix,
> /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/inet_any2n.al,
> /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/ipv6_aton.al,
> /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/autosplit.ix,
> Error.pm, Mail/SPF.pm, Mail/SPF/Base.pm, Mail/SPF/Exception.pm,
> Mail/SPF/MacroString.pm, Mail/SPF/Record.pm, Mail/SPF/Request.pm,
> Mail/SPF/Result.pm, Mail/SPF/Server.pm, Mail/SPF/Util.pm,
> Mail/SpamAssassin/Locales.pm, Mail/SpamAssassin/Plugin/Bayes.pm,
> Mail/SpamAssassin/Plugin/BodyEval.pm, Mail/SpamAssassin/Plugin/Check.pm,
> Mail/SpamAssassin/Plugin/DNSEval.pm, Mail/SpamAssassin/Plugin/HTMLEval.pm,
> Mail/SpamAssassin/Plugin/HTTPSMismatch.pm,
> Mail/SpamAssassin/Plugin/HeaderEval.pm,
> Mail/SpamAssassin/Plugin/ImageInfo.pm, Mail/SpamAssassin/Plugin/MIMEEval.pm,
> Mail/SpamAssassin/Plugin/RelayEva...
>
> Dec 14 08:16:20 amavis[80841]: (80841-08) ...l.pm,
> Mail/SpamAssassin/Plugin/URIDetail.pm, Mail/SpamAssassin/Plugin/URIEval.pm,
> Mail/SpamAssassin/Plugin/VBounce.pm, Mail/SpamAssassin/Plugin/WLBLEval.pm,
> NetAddr/IP.pm, NetAddr/IP/Lite.pm, NetAddr/IP/Util.pm,
> NetAddr/IP/Util_IS.pm, String/Approx.pm, unicore/lib/gc_sc/Word.pl,
> version.pm, version/vxs.pm
>
> and more other small logs for amavis.
>
> Thanks, sorry for bad english, i'm learning :D
>
> --
> Kivanio Pereira Barbosa
> Cel 8121-4248
>
> www.eiqconsultoria.com.br

Reply via email to