Hi, I don't think it's a smart move to change the rules directly because they'll be overwritten during upgrade. Creating exceptions for those specific rules in local_rules.xml is the recommended approach.
Cheers, Wim On Thu, Feb 11, 2010 at 6:34 PM, oscar schneider <[email protected]> wrote: > Do you really get ALL alerts? The example Wim posted is not the only rule > that has a level below 7 but regardless forces an e-mail alert but there are > others, e.g. rule 1002. > > Make sure you really get e-mails for alerts triggered by rules that do not > contain <options>alert_by_email</options> and have a severity lower than 7. > > If you dont find one, then the problem is already described by Wim and if > you really sure you don't wanna get any emails for alerts < 7 you can just > remove every line containing <options>alert_by_email</options> from the rule > files located in Ossecdir/rules/. However this might not be the best idea > because you might miss stuff that possibly can mean trouble, but is more > often not so relevant, as with rule 1002. > > > > On Thu, Feb 11, 2010 at 10:42 AM, csirt <[email protected]> wrote: >> >> Hi, >> sorry but my problem ist, that i do not want to get any e-mail with level >> lower the 7. >> At the moment i get all alerts, regardless of the level. >> >> regards >> >> 2010/2/10 Wim Remes <[email protected]> >>> >>> Hi, >>> you are partially correct. You can also generate e-mails by using >>> <options>alert_by_email</options> as is the case for >>> rule 31122. >>> <rule id="31122" level="5"> >>> <if_sid>31120</if_sid> >>> <id>^500</id> >>> <options>alert_by_email</options> >>> <description>Web server 500 error code (Internal >>> Error).</description> >>> <group>system_error,</group> >>> </rule> >>> you can either edit this one directly or overrule using local_rules.xml >>> Cheers, >>> Wim >>> On 10 Feb 2010, at 05:44, csirt wrote: >>> >>> Hi, >>> i have a problem with the configuration of ossec running in lokal mode. >>> Following is an example of some of the alarms i get in my mailbox, but do >>> not want to be alarmed about: >>> >>>> OSSEC HIDS Notification. >>>> 2010 Feb 10 03:24:55 >>>> >>>> Received From: xx->/var/log/apache2/access.log >>>> Rule: 31122 fired (level 5) -> "Web server 500 error code (Internal >>>> Error)." >>>> Portion of the log(s): >>>> >>>> 67.195.112.246 - - [10/Feb/2010:03:24:54 +0100] "GET >>>> /gallery/displayimage.php? >>>> album=lastup&cat=0&pos=74 HTTP/1.0" 500 - "-" "Mozilla/5.0 (compatible; >>>> Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp >>>> >>>> )" >>>> >>>> >>>> >>>> --END OF NOTIFICATION >>> >>> This are the (imho) relevant parts of my ossec.conf: >>> ... >>> <global> >>> <email_notification>yes</email_notification> >>> <email_to>[email protected]</email_to> >>> <smtp_server>localhost</smtp_server> >>> <email_from>oss...@ossec</email_from> >>> </global> >>> ... >>> ... >>> <alerts> >>> <log_alert_level>1</log_alert_level> >>> <email_alert_level>7</email_alert_level> >>> </alerts> >>> ... >>> >>> My understanding is, that i should only should get emails if the level is >>> 7 or above. Am i wrong with that? >>> >>> regards >>> >>> >> > > -- Wim Remes Security Afficionado
