On Wed, Jun 27, 2012 at 1:04 AM, Steve W <[email protected]> wrote: > > Hey Dan, > > I appreciate your help with some of these rules & such. If I could ever get > a chance to talk with you via chat or something, I would appreciate it. > There are things that are hard to explain here, and would be easier to talk > about it. If you wouldn't mind sending me an email with any contact info, > I'd appreciate it. My email address is [email protected] > > Thanks > > Steve >
There are several of us on IRC at various times of the day. #ossec on freenode > > On Friday, May 25, 2012 3:14:51 AM UTC-5, Steve W wrote: >> >> Hi There, >> >> My name is Steve W. Currently I have OSSEC 2.6 running on our web & >> email server, as a local instance. I have my settings to only receive >> email alerts with a level/score or 7 or higher. Ever since the >> installation, I have been getting many of the following alerts to my >> email, and some of them are less that 7, and I am still getting email >> alerts. I have tried creating ignore rules, and yet they continue to >> come. But now I have realized that I don't want it to completely >> ignore the rule, I would like it to log the alerts, just not send me >> an email alert about it. Below are the email alerts I am getting. >> >> >> >> Rule: 3353 fired (level 10) -> "Multiple attempts to send e-mail from >> invalid/unknown sender domain." >> Apr 26 08:25:57 ccgr postfix/smtpd[9191]: NOQUEUE: reject: RCPT from >> unknown[118.126.1.112]: 450 4.7.1 Client host rejected: cannot find >> your hostname, [118.126.1.112]; from=<[email protected]> >> to=<[email protected]> proto=ESMTP helo=<okmail.v01.cn> >> >> **Since this is a level 10, I would like to have an alert sent to the >> logs, but not email me about it because there are hundreds of these >> alerts each day.** >> >> >> >> Rule: 550 fired (level 7) -> "Integrity checksum changed." >> Integrity checksum changed for: '/etc/init.d/.depend.stop' >> Size changed from '1288' to '1352' >> Old md5sum was: '9a2f9ffa43ebf20abd96b94663b868ef' >> New md5sum is : 'a7baf0eb4beb852af4f07f4ce4e67f5f' >> Old sha1sum was: '7ae0416e7efcfaf0a6a2d725c223deebcf46f48f' >> New sha1sum is : 'f56dcbc8c79c47c1d4ff11cbed81605a216114ba' >> >> **This is a level 7 rule, so it also should be emailed to me. Lately >> there are a lot of these alerts flooding my inbox, and I would like to >> just save the alert to log (log the alert), but not email me.** >> >> >> >> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >> system." >> May 24 06:25:10 ccgr /USR/SBIN/CRON[19055]: (CRON) error (grandchild >> #19056 failed with exit status 1) >> >> **This is one of the many level 2 alerts I have been getting, and it >> it still sending me these alerts to my email, even though I have it >> set to only email me with alerts with a level 7 or higher.** >> >> >> >> >> >> **Here is an example of the rules I have been trying to create, but >> are not working. Any help would be greatly appreciated.** >> >> <rule id="100501" level="2"> >> <if_sid>1002</if_sid> >> <options>no_email_alert</options> >> <description>Ignoring rule 1002.</description> >> </rule> >> >> >> <rule_id="100502" level="10"> >> <if_sid>3353,3357</if_sid> >> <options>no_email_alert</options> >> <program_name>postfix/smtpd</program_name> >> <description>Multiple attempts to send e-mail from invalid/unknown >> sender domain.</description> >> </rule> >> >> >> <rule_id="100504" level="7"> >> <if_sid>550,551,552,2902</id_sid> >> <options>no_email_alert</options> >> <match>Integrity checksum changed</match> >> <description>New packages installed, and checksum changes</ >> description> >> </rule> >> >> >> >> >> >> Thank You >> >> Steve Wieczorek >> [email protected]
