Hi all, I've been using OSSEC for some higher-traffic web servers running ModSecurity SPAM/RBL rules as well as standard web-attack rules. I have classified the RBL rules as alert level 9 and the web attack rules as alert level 11. Both receiving emails. The RBL rules trigger *very* often and I noticed in my alert level 11 emails (for web attacks only) that there are often a large number of alert level 9 alerts that show up in these emails and I often have to sort through the email to find the actual alert level 11. My understanding was that the subject and the body are supposed to contain the same content and not overlap. Is this is a known issue or a "feature?" I mean, I know there are some rules that trigger when a certain other rule has been triggered too many times. But I'm pretty certain I don't have it setup this way.
Any input on this? Thanks, Jeremy
