Hey Dan, I appreciate your help with some of these rules & such. If I could ever get a chance to talk with you via chat or something, I would appreciate it. There are things that are hard to explain here, and would be easier to talk about it. If you wouldn't mind sending me an email with any contact info, I'd appreciate it. My email address is [email protected]
Thanks Steve On Friday, May 25, 2012 3:14:51 AM UTC-5, Steve W wrote: > > Hi There, > > My name is Steve W. Currently I have OSSEC 2.6 running on our web & > email server, as a local instance. I have my settings to only receive > email alerts with a level/score or 7 or higher. Ever since the > installation, I have been getting many of the following alerts to my > email, and some of them are less that 7, and I am still getting email > alerts. I have tried creating ignore rules, and yet they continue to > come. But now I have realized that I don't want it to completely > ignore the rule, I would like it to log the alerts, just not send me > an email alert about it. Below are the email alerts I am getting. > > > > Rule: 3353 fired (level 10) -> "Multiple attempts to send e-mail from > invalid/unknown sender domain." > Apr 26 08:25:57 ccgr postfix/smtpd[9191]: NOQUEUE: reject: RCPT from > unknown[118.126.1.112]: 450 4.7.1 Client host rejected: cannot find > your hostname, [118.126.1.112]; from=<[email protected]> > to=<[email protected]> proto=ESMTP helo=<okmail.v01.cn> > > **Since this is a level 10, I would like to have an alert sent to the > logs, but not email me about it because there are hundreds of these > alerts each day.** > > > > Rule: 550 fired (level 7) -> "Integrity checksum changed." > Integrity checksum changed for: '/etc/init.d/.depend.stop' > Size changed from '1288' to '1352' > Old md5sum was: '9a2f9ffa43ebf20abd96b94663b868ef' > New md5sum is : 'a7baf0eb4beb852af4f07f4ce4e67f5f' > Old sha1sum was: '7ae0416e7efcfaf0a6a2d725c223deebcf46f48f' > New sha1sum is : 'f56dcbc8c79c47c1d4ff11cbed81605a216114ba' > > **This is a level 7 rule, so it also should be emailed to me. Lately > there are a lot of these alerts flooding my inbox, and I would like to > just save the alert to log (log the alert), but not email me.** > > > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the > system." > May 24 06:25:10 ccgr /USR/SBIN/CRON[19055]: (CRON) error (grandchild > #19056 failed with exit status 1) > > **This is one of the many level 2 alerts I have been getting, and it > it still sending me these alerts to my email, even though I have it > set to only email me with alerts with a level 7 or higher.** > > > > > > **Here is an example of the rules I have been trying to create, but > are not working. Any help would be greatly appreciated.** > > <rule id="100501" level="2"> > <if_sid>1002</if_sid> > <options>no_email_alert</options> > <description>Ignoring rule 1002.</description> > </rule> > > > <rule_id="100502" level="10"> > <if_sid>3353,3357</if_sid> > <options>no_email_alert</options> > <program_name>postfix/smtpd</program_name> > <description>Multiple attempts to send e-mail from invalid/unknown > sender domain.</description> > </rule> > > > <rule_id="100504" level="7"> > <if_sid>550,551,552,2902</id_sid> > <options>no_email_alert</options> > <match>Integrity checksum changed</match> > <description>New packages installed, and checksum changes</ > description> > </rule> > > > > > > Thank You > > Steve Wieczorek > [email protected]
