I'll try to help more thoroughly later. On May 25, 2012 6:33 AM, "Steve W" <[email protected]> wrote: > > Hi There, > > My name is Steve W. Currently I have OSSEC 2.6 running on our web & > email server, as a local instance. I have my settings to only receive > email alerts with a level/score or 7 or higher. Ever since the > installation, I have been getting many of the following alerts to my > email, and some of them are less that 7, and I am still getting email > alerts. I have tried creating ignore rules, and yet they continue to > come. But now I have realized that I don't want it to completely > ignore the rule, I would like it to log the alerts, just not send me > an email alert about it. Below are the email alerts I am getting. > > > > Rule: 3353 fired (level 10) -> "Multiple attempts to send e-mail from > invalid/unknown sender domain." > Apr 26 08:25:57 ccgr postfix/smtpd[9191]: NOQUEUE: reject: RCPT from > unknown[118.126.1.112]: 450 4.7.1 Client host rejected: cannot find > your hostname, [118.126.1.112]; from=<[email protected]> > to=<[email protected]> proto=ESMTP helo=<okmail.v01.cn> > > **Since this is a level 10, I would like to have an alert sent to the > logs, but not email me about it because there are hundreds of these > alerts each day.** > > > > Rule: 550 fired (level 7) -> "Integrity checksum changed." > Integrity checksum changed for: '/etc/init.d/.depend.stop' > Size changed from '1288' to '1352' > Old md5sum was: '9a2f9ffa43ebf20abd96b94663b868ef' > New md5sum is : 'a7baf0eb4beb852af4f07f4ce4e67f5f' > Old sha1sum was: '7ae0416e7efcfaf0a6a2d725c223deebcf46f48f' > New sha1sum is : 'f56dcbc8c79c47c1d4ff11cbed81605a216114ba' > > **This is a level 7 rule, so it also should be emailed to me. Lately > there are a lot of these alerts flooding my inbox, and I would like to > just save the alert to log (log the alert), but not email me.** > > > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the > system." > May 24 06:25:10 ccgr /USR/SBIN/CRON[19055]: (CRON) error (grandchild > #19056 failed with exit status 1) > > **This is one of the many level 2 alerts I have been getting, and it > it still sending me these alerts to my email, even though I have it > set to only email me with alerts with a level 7 or higher.** > >
http://devio.us/~ddp/ossec/docs/faq/alerts.html#how-do-i-ignore-rule-1002 http://devio.us/~ddp/ossec/docs/faq/alerts.html#i-set-the-email-alert-level-to-10-why-do-i-keep-seeing-rules-with-lower-levels > > > > **Here is an example of the rules I have been trying to create, but > are not working. Any help would be greatly appreciated.** > > <rule id="100501" level="2"> > <if_sid>1002</if_sid> > <options>no_email_alert</options> > <description>Ignoring rule 1002.</description> > </rule> > > > <rule_id="100502" level="10"> > <if_sid>3353,3357</if_sid> > <options>no_email_alert</options> > <program_name>postfix/smtpd</program_name> > <description>Multiple attempts to send e-mail from invalid/unknown > sender domain.</description> > </rule> > > > <rule_id="100504" level="7"> > <if_sid>550,551,552,2902</id_sid> > <options>no_email_alert</options> > <match>Integrity checksum changed</match> > <description>New packages installed, and checksum changes</ > description> > </rule> > > > > > > Thank You > > Steve Wieczorek > [email protected]
