On Sat, May 26, 2012 at 3:10 PM, Steve W <[email protected]> wrote: > > > > > Hey man, I really appreciate your help here. I understand what you > mean by not ignoring 1002 (Unknown problem somewhere in the system). > Makes sense, I appreciate the advice on that. Ok, my only other > remaining issues are for the following alerts: 550 (integrity checksum > changed.) You would think I want to see alerts like this, but there > just so many coming in. 551 (Integrity checksum changed again (2nd > time). I get a bunch of these also. 552 (integrity checksum changed > again (3rd time). I think I would like to do this, but can't figure > out how. I don't want to emails alerting me that a checksum has > changed 1st (550), and 2nd (551) time. But, if a checksum has changed > on a file for a third time, then send me an email. So can I tell it to > **log only** rules 551 & 552? But if a file has changed for a third > time, then send me an email alert. I want the first & second attempts > to be logged for sure, but no email alerts. My alert threshold to get > email alerts, the rule has to be at least a 7 or higher. Any thoughts > on this? I have tried putting a rule in my local_rules.xml, but still > get email alerts. Is there something the way I am writing the rule/s? > > <rule id="100200" level="7">
If you don't want to see emails on sids 550/551, and you're emailing all alerts level 7 or greater, why did you set this to level 7? > <if_sid>550,551,</if_sid> > <description>Integrity checksum has changed again</description> > </rule> > > Do you see a problem with this? > > The last alert I am having trouble with are 3353 (Multiple attempts > to send e-mail from invalid/unknown sender domain). I want this, like > the previous rule. Except to no get any emails, just log all the > alerts. 3353 fires as a level 10. Here is the rule I created, but > doesn't seem to work. Any thoughts? > > <rule id="100300" level="10"> Why do you set this to a level 10? 10 > 7. > <if_sid>3353,</if_sid> > <description>Multiple attempts to send e-mail from invalid/unknown > sender domain</description> > </rule> > > Does that look correct, or are there things I should/need to change? > > Again, I appreciate your response, and thank you in advance for any > input or advice you might be able to give me. Thanks buddy. > > > Steve W > > On May 25, 8:14 am, "dan (ddp)" <[email protected]> wrote: >> On Fri, May 25, 2012 at 4:14 AM, Steve W <[email protected]> wrote: >> > Hi There, >> >> > My name is Steve W. Currently I have OSSEC 2.6 running on our web & >> >emailserver, as a local instance. I have my settings to only receive >> >emailalerts with a level/score or 7 or higher. Ever since the >> > installation, I have been getting many of the following alerts to my >> >email, and some of them are less that 7, and I am still gettingemail >> > alerts. I have tried creating ignore rules, and yet they continue to >> > come.Butnow I have realized that I don't want it to completely >> > ignore the rule, I would like it tologthe alerts, justnotsend me >> > anemailalertabout it. Below are theemailalerts I am getting. >> >> > Rule: 3353 fired (level 10) -> "Multiple attempts to send e-mail from >> > invalid/unknown sender domain." >> > Apr 26 08:25:57 ccgr postfix/smtpd[9191]: NOQUEUE: reject: RCPT from >> > unknown[118.126.1.112]: 450 4.7.1 Client host rejected: cannot find >> > your hostname, [118.126.1.112]; from=<[email protected]> >> > to=<[email protected]> proto=ESMTP helo=<okmail.v01.cn> >> >> > **Since this is a level 10, I would like to have analertsent to the >> > logs,butnotemailme about it because there are hundreds of these >> > alerts each day.** >> >> > Rule: 550 fired (level 7) -> "Integrity checksum changed." >> > Integrity checksum changed for: '/etc/init.d/.depend.stop' >> > Size changed from '1288' to '1352' >> > Old md5sum was: '9a2f9ffa43ebf20abd96b94663b868ef' >> > New md5sum is : 'a7baf0eb4beb852af4f07f4ce4e67f5f' >> > Old sha1sum was: '7ae0416e7efcfaf0a6a2d725c223deebcf46f48f' >> > New sha1sum is : 'f56dcbc8c79c47c1d4ff11cbed81605a216114ba' >> >> > **This is a level 7 rule, so it also should be emailed to me. Lately >> > there are a lot of these alerts flooding my inbox, and I would like to >> > just save thealerttolog(logthealert),butnotemailme.** >> >> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >> > system." >> > May 24 06:25:10 ccgr /USR/SBIN/CRON[19055]: (CRON) error (grandchild >> > #19056 failed with exit status 1) >> >> > **This is one of the many level 2 alerts I have been getting, and it >> > it still sending me these alerts to myemail, even though I have it >> > set to onlyemailme with alerts with a level 7 or higher.** >> >> > **Here is an example of the rules I have been trying to create,but >> > arenotworking. Any help would be greatly appreciated.** >> >> > <rule id="100501" level="2"> >> > <if_sid>1002</if_sid> >> > <options>no_email_alert</options> >> > <description>Ignoring rule 1002.</description> >> > </rule> >> >> Don't do this. Create rules for thelogmessages 1002 is triggered by. >> 1002 is a good rule to have. >> >> >> >> > <rule_id="100502" level="10"> >> > <if_sid>3353,3357</if_sid> >> > <options>no_email_alert</options> >> > <program_name>postfix/smtpd</program_name> >> > <description>Multiple attempts to send e-mail from invalid/unknown >> > sender domain.</description> >> > </rule> >> >> Instead of using the no_email_alert option, try just lowering the >> level to below 7 (and above your minimumloglevel). Aldo, you >> probably don't need both the <program_name> and the <if_sid>. >> >> >> >> > <rule_id="100504" level="7"> >> > <if_sid>550,551,552,2902</id_sid> >> > <options>no_email_alert</options> >> > <match>Integrity checksum changed</match> >> > <description>New packages installed, and checksum changes</ >> > description> >> > </rule> >> >> Again, try with a lower level and without the no_email_alert option. >> You probably don't need the generic <match> when you have the sids >> there. >> >> >> >> > Thank You >> >> > Steve Wieczorek >> > [email protected] >> >> Remember to use ossec-logtest to test your changes. You'll generally >> have to tweak allbutthe simplest of rules, I know I do.
