Dennis, <options>no-email-alert</option> causes ossec to fail to start.
<options>no_email_alert</option> (within a <rule> block) has no effect. Email alerts still pile in. -Brian On Apr 14, 2:10 pm, "Carter, Dennis A" <[email protected]> wrote: > Brian, > > No. The level="0" is used to ignore the rule and no action taken primary to > avoid false positives. The <options>no-email-alert</option> basically over > rides your global email settings in your ossec.conf file. > > Dennis Carter > Pinellas County Govt > Business Technology Services > 727-464-4527 > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Brian > Sent: Wednesday, April 14, 2010 11:17 AM > To: ossec-list > Subject: [ossec-list] Re: Rule for web access_log not working > > Dennis, > > Is <options>no_email_alert</option> a new change? The docs mention > level="0" as turning off the alert for a specific rule. I have > level="0" set for other, non apache rules in local_rules.xml, and they > seem to be working as desired with no alerts. > > -Brian > > On Apr 14, 8:04 am, "Carter, Dennis A" <[email protected]> > wrote: > > Brian, > > > If you do not want the e-mail alerts then add option tag to your rule. > > > <options>no_email_alert</options> > > > Dennis Carter > > Pinellas County Govt > > Business Technology Services > > 727-464-4527 > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] > > On Behalf Of Brian > > Sent: Tuesday, April 13, 2010 5:22 PM > > To: ossec-list > > Subject: [ossec-list] Rule for web access_log not working > > > I have the following "whitelist" rule that is still producing email > > alerts, in local_rules.xml > > > <group name="web,accesslog,apache,"> > > <rule id="200004" level="0"> > > <srcip>1.2.3.4</srcip> > > <regex>www\.example\.com/v9/windowsupdate/</regex> > > <description>X is asking for Windows updates?</description> > > </rule> > > </group> > > > $ grep -1 local_rules ossec.conf > > <include>attack_rules.xml</include> > > <include>local_rules.xml</include> > > </rules> > > $ > > > I have verified that IP 1.2.3.4 is indeed valid and showing up the the > > Apache log, and I've added the relevant Apache log to ossec.conf via > > (and restarted ossec): > > > <localfile> > > <log_format>apache</log_format> > > <location>/var/log/httpd/domain.com-access_log</location> > > </localfile> > > > Instead of <regex> I've also tried simply: > > > <match>www.example.com/v9/windowsupdate/</match> > > > ... and: > > > <url>www.example.com/v9/windowsupdate/</url> > > > I've also tried removing the <srcip> line, and I've tried all > > combinations of: > > > <group name="web,accesslog,"> > > <group name="apache,"> > > <group name="syslog,"> > > <group name="local,web,accesslog,apache,"> > > And numerous other combinations. > > > The access_log line looks like this: > > > 1.2.3.4 - - [13/Apr/2010:16:26:40 -0400] > > "GEThttp://www.example.com/v9/windowsupdate/redir/muv4wuredir.cab?1004132022 > > HTTP/1.1" 404 307 "-" "Windows-Update-Agent" > > > I've read these: > > >http://www.ossec.net/wiki/UserRuleshttp://www.ossec.net/main/manual/c... > > > For the life of me I can't figure out what I'm doing wrong. Thank you > > for any help! > > > -Brian > > > -- > > To unsubscribe, reply using "remove me" as the subject.
