Brian, If you do not want the e-mail alerts then add option tag to your rule.
<options>no_email_alert</options> Dennis Carter Pinellas County Govt Business Technology Services 727-464-4527 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Brian Sent: Tuesday, April 13, 2010 5:22 PM To: ossec-list Subject: [ossec-list] Rule for web access_log not working I have the following "whitelist" rule that is still producing email alerts, in local_rules.xml <group name="web,accesslog,apache,"> <rule id="200004" level="0"> <srcip>1.2.3.4</srcip> <regex>www\.example\.com/v9/windowsupdate/</regex> <description>X is asking for Windows updates?</description> </rule> </group> $ grep -1 local_rules ossec.conf <include>attack_rules.xml</include> <include>local_rules.xml</include> </rules> $ I have verified that IP 1.2.3.4 is indeed valid and showing up the the Apache log, and I've added the relevant Apache log to ossec.conf via (and restarted ossec): <localfile> <log_format>apache</log_format> <location>/var/log/httpd/domain.com-access_log</location> </localfile> Instead of <regex> I've also tried simply: <match>www.example.com/v9/windowsupdate/</match> ... and: <url>www.example.com/v9/windowsupdate/</url> I've also tried removing the <srcip> line, and I've tried all combinations of: <group name="web,accesslog,"> <group name="apache,"> <group name="syslog,"> <group name="local,web,accesslog,apache,"> And numerous other combinations. The access_log line looks like this: 1.2.3.4 - - [13/Apr/2010:16:26:40 -0400] "GET http://www.example.com/v9/windowsupdate/redir/muv4wuredir.cab?1004132022 HTTP/1.1" 404 307 "-" "Windows-Update-Agent" I've read these: http://www.ossec.net/wiki/UserRules http://www.ossec.net/main/manual/configuration-options/ For the life of me I can't figure out what I'm doing wrong. Thank you for any help! -Brian -- To unsubscribe, reply using "remove me" as the subject.
