On Sat, May 26, 2012 at 3:10 PM, Steve W <[email protected]> wrote:
>
>
>
>
>  Hey man, I really appreciate your help here. I understand what you
> mean by not ignoring 1002 (Unknown problem somewhere in the system).
> Makes sense, I appreciate the advice on that. Ok, my only other
> remaining issues are for the following alerts: 550 (integrity checksum
> changed.) You would think I want to see alerts like this, but there
> just so many coming in. 551 (Integrity checksum changed again (2nd
> time). I get a bunch of these also. 552 (integrity checksum changed
> again (3rd time). I think I would like to do this, but can't figure
> out how. I don't want to emails alerting me that a checksum has
> changed 1st (550), and 2nd (551) time. But, if a checksum has changed
> on a file for a third time, then send me an email. So can I tell it to
> **log only** rules 551 & 552? But if a file has changed for a third
> time, then send me an email alert. I want the first & second attempts
> to be logged for sure, but no email alerts. My alert threshold to get
> email alerts, the rule has to be at least a 7 or higher. Any thoughts
> on this? I have tried putting a rule in my local_rules.xml, but still
> get email alerts. Is there something the way I am writing the rule/s?
>
> <rule id="100200" level="7">

If you don't want to see emails on sids 550/551, and you're emailing
all alerts level 7 or greater, why did you set this to level 7?

>   <if_sid>550,551,</if_sid>
>   <description>Integrity checksum has changed again</description>
> </rule>
>
> Do you see a problem with this?
>
>  The last alert I am having trouble with are 3353 (Multiple attempts
> to send e-mail from invalid/unknown sender domain). I want this, like
> the previous rule. Except to no get any emails, just log all the
> alerts. 3353 fires as a level 10. Here is the rule I created, but
> doesn't seem to work. Any thoughts?
>
> <rule id="100300" level="10">

Why do you set this to a level 10? 10 > 7.

>   <if_sid>3353,</if_sid>
>   <description>Multiple attempts to send e-mail from invalid/unknown
> sender domain</description>
> </rule>
>
> Does that look correct, or are there things I should/need to change?
>
>  Again, I appreciate your response, and thank you in advance for any
> input or advice you might be able to give me. Thanks buddy.
>
>
> Steve W
>
> On May 25, 8:14 am, "dan (ddp)" <[email protected]> wrote:
>> On Fri, May 25, 2012 at 4:14 AM, Steve W <[email protected]> wrote:
>> >  Hi There,
>>
>> > My name is Steve W. Currently I have OSSEC 2.6 running on our web &
>> >emailserver, as a local instance. I have my settings to only receive
>> >emailalerts with a level/score or 7 or higher. Ever since the
>> > installation, I have been getting many of the following alerts to my
>> >email, and some of them are less that 7, and I am still gettingemail
>> > alerts. I have tried creating ignore rules, and yet they continue to
>> > come.Butnow I have realized that I don't want it to completely
>> > ignore the rule, I would like it tologthe alerts, justnotsend me
>> > anemailalertabout it. Below are theemailalerts I am getting.
>>
>> > Rule: 3353 fired (level 10) -> "Multiple attempts to send e-mail from
>> > invalid/unknown sender domain."
>> > Apr 26 08:25:57 ccgr postfix/smtpd[9191]: NOQUEUE: reject: RCPT from
>> > unknown[118.126.1.112]: 450 4.7.1 Client host rejected: cannot find
>> > your hostname, [118.126.1.112]; from=<[email protected]>
>> > to=<[email protected]> proto=ESMTP helo=<okmail.v01.cn>
>>
>> > **Since this is a level 10, I would like to have analertsent to the
>> > logs,butnotemailme about it because there are hundreds of these
>> > alerts each day.**
>>
>> > Rule: 550 fired (level 7) -> "Integrity checksum changed."
>> > Integrity checksum changed for: '/etc/init.d/.depend.stop'
>> > Size changed from '1288' to '1352'
>> > Old md5sum was: '9a2f9ffa43ebf20abd96b94663b868ef'
>> > New md5sum is : 'a7baf0eb4beb852af4f07f4ce4e67f5f'
>> > Old sha1sum was: '7ae0416e7efcfaf0a6a2d725c223deebcf46f48f'
>> > New sha1sum is : 'f56dcbc8c79c47c1d4ff11cbed81605a216114ba'
>>
>> > **This is a level 7 rule, so it also should be emailed to me. Lately
>> > there are a lot of these alerts flooding my inbox, and I would like to
>> > just save thealerttolog(logthealert),butnotemailme.**
>>
>> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
>> > system."
>> > May 24 06:25:10 ccgr /USR/SBIN/CRON[19055]: (CRON) error (grandchild
>> > #19056 failed with exit status 1)
>>
>> > **This is one of the many level 2 alerts I have been getting, and it
>> > it still sending me these alerts to myemail, even though I have it
>> > set to onlyemailme with alerts with a level 7 or higher.**
>>
>> > **Here is an example of the rules I have been trying to create,but
>> > arenotworking. Any help would be greatly appreciated.**
>>
>> >  <rule id="100501" level="2">
>> >   <if_sid>1002</if_sid>
>> >  <options>no_email_alert</options>
>> >   <description>Ignoring rule 1002.</description>
>> >  </rule>
>>
>> Don't do this. Create rules for thelogmessages 1002 is triggered by.
>> 1002 is a good rule to have.
>>
>>
>>
>> >  <rule_id="100502" level="10">
>> >   <if_sid>3353,3357</if_sid>
>> >  <options>no_email_alert</options>
>> >   <program_name>postfix/smtpd</program_name>
>> >   <description>Multiple attempts to send e-mail from invalid/unknown
>> > sender domain.</description>
>> >  </rule>
>>
>> Instead of using the no_email_alert option, try just lowering the
>> level to below 7 (and above your minimumloglevel). Aldo, you
>> probably don't need both the <program_name> and the <if_sid>.
>>
>>
>>
>> > <rule_id="100504" level="7">
>> >  <if_sid>550,551,552,2902</id_sid>
>> > <options>no_email_alert</options>
>> >  <match>Integrity checksum changed</match>
>> >  <description>New packages installed, and checksum changes</
>> > description>
>> > </rule>
>>
>> Again, try with a lower level and without the no_email_alert option.
>> You probably don't need the generic <match> when you have the sids
>> there.
>>
>>
>>
>> >   Thank You
>>
>> > Steve Wieczorek
>> > [email protected]
>>
>> Remember to use ossec-logtest to test your changes. You'll generally
>> have to tweak allbutthe simplest of rules, I know I do.

Reply via email to