Thx for the hints.
i'm try to find out whats going wrong.
Didn't found the misstake.
But i found a fix ....
<rule id="101002" level="2">
<if_sid>1002</if_sid>
<program_name>^smf-sav</program_name>
<regex>sender check tempfailed:</regex>
<options>no_email_alert</options>
</rule>
<rule id="101003" level="2">
<if_sid>1002</if_sid>
<program_name>^smf-sav</program_name>
<regex>sender check failed:</regex>
<options>no_email_alert</options>
</rule>
I'm wonder why Rule 3196 not will match ??
cheers
Jochen
Am 15.05.2008 um 20:19 schrieb Rob Skoog:
>
> Joachim Vorrath wrote:
>> Hi All,
>>
>> How can i fix that?
>>
>>> OSSEC HIDS Notification.
>>> 2008 May 15 19:05:10
>>>
>>> Received From: www->/var/log/maillog
>>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
>>> system."
>>> Portion of the log(s):
>>>
>>> May 15 19:05:09 www smf-sav[12380]: sender check tempfailed:
>> <[EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED]>>, 78.162.69.28,
>> [78.162.69.28], [00:01:00]
>>>
>>
>> In sendmail_rules.xml there was a part for it
>> <!-- Rules for SMF-SAV -->
>> rule 3190 and 3191
>> also a part in decoder.xml
>> but in my opinion it's only for 'sender check failed'
>> not for 'sender check tempfailed'!
>>
>>
>> I'm running OSSEC 1.5 local.
>>
>>
>>
>> cheers,
>>
>> Jochen
>>
>>
>>
>> ______________________________________
>> XamimeLT - installed on mailserver for domain at vorrath-net.de
>> Queries to: postmaster at vorrath-net.de
>
> You might find rule 1002 in syslog_rules.xml (The rule triggering the
> alert) helpful. I assume by fixing it you want to make the alerts go
> away. If that is the case the following link should be helpful.
>
> http://www.ossec.net/wiki/index.php/Know_How:Email_Alerts_below_7
>
> Rob
>
______________________________________
XamimeLT - installed on mailserver for domain at vorrath-net.de
Queries to: postmaster at vorrath-net.de
