Hi, if you have a default ossec.conf with your e.mail adress and smtp server configured correctly you should get an email if 16 drops occur in 45 seconds. Of course you also need to make sure that the firewall messages are passed to ossec, e.g. by configuring it in ossec.conf as localfile.
To see if the drop messages of your firewall match these ossec rules, run them through ossec logtest. If that turns out not to help, post the result of ossec logtest and post some example messages for packet drops for your irewall. On Thu, Feb 11, 2010 at 12:51 PM, GPLExpert <[email protected]> wrote: > Hello, > > It seems that ossec support PF rules but when there is multiple drops, > i would like to have an email. > > There is this in the decoder.xml > > <decoder name="pf"> > <type>firewall</type> > <program_name>^pf$</program_name> > <plugin_decoder>PF_Decoder</plugin_decoder> > </decoder> > > And when i past a pf log inside ossec-logtest > It's matching rules > > **Phase 2: Completed decoding. > decoder: 'pf' > > **Phase 3: Completed filtering (rules). > Rule id: '4100' > Level: '0' > Description: 'Firewall rules grouped.' > > and this in firewall.rules > > <rule id="4101" level="5"> > <if_sid>4100</if_sid> > <!--<action>DROP</action> --> > <!--<action>block</action>--> > <match>block</match> > <!-- > <options>no_log</options>-- > > > > <description>Firewall drop event.</description> > <group>firewall_drop,</group> > </rule> > > <rule id="4151" level="10" frequency="16" timeframe="45" > ignore="240"> > <if_matched_sid>4101</if_matched_sid> > <same_source_ip /> > <description>Multiple Firewall drop events from same > source.</description> > <group>multiple_drops,</group> > </rule> > > > I've tried to write a rule in local_rules.xml but with no success. > > Have you got a solution to send mail when a scan is done? > > Regards > Thomas BRETON >
