Hello! I am having trouble filtering a specific item in 1002. I still get the alerts... The alerts i get are like the ones below but with a different resolving "addresses"... The rule i created is:
<group name="local"> <rule id="100102" level="0"> <if_sid>1002</if_sid> <match>connect_error: error (network unreachable) resolving</match> <description>Resolve Events ignored.</description> </rule> </group> What am I doing wrong? I still get these like crazy... Thanks! OSSEC HIDS Notification. 2012 Jan 09 12:00:04 Received From: mail01->/var/log/messages Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Jan 9 12:00:03 mail01 named[16307]: error (network unreachable) resolving ' rfc-ignorant.org/DS/IN': 2001:500:48::1#53 --END OF NOTIFICATION OSSEC HIDS Notification. 2012 Jan 09 12:00:08 Received From: mail01->/var/log/messages Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Jan 9 12:00:08 mail01 named[16307]: error (network unreachable) resolving 'org/DNSKEY/IN': 2001:500:c::1#53 --END OF NOTIFICATION OSSEC HIDS Notification. 2012 Jan 09 12:00:08 Received From: mail01->/var/log/messages Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Jan 9 12:00:08 mail01 named[16307]: error (network unreachable) resolving 'org/DNSKEY/IN': 2001:500:f::1#53 --END OF NOTIFICATION --END OF NOTIFICATION
