On Wed, Aug 1, 2012 at 4:15 AM, Christian Beer <[email protected]> wrote: >> Am 31.07.2012 17:56, schrieb dan (ddp): >>> >>> On Tue, Jul 31, 2012 at 11:49 AM, ChristianB >>> >>> <[email protected]> wrote: >>>> >>>> Hello all, >>>> >>>> I now have my local installation of OSSEC working and integrated with my >>>> running services. So far it's working really good. There is still one >>>> thing >>>> that is not really working. I set up email notifications for active >>>> response >>>> rules in my ossec.conf like this: >>>> <email_alerts> >>>> <email_to>[email protected]</email_to> >>>> <rule_id>601, 602</rule_id> >>>> <do_not_delay /> >>>> <do_not_group /> >>>> </email_alerts> >>>> >>>> I also tried using the<rule_group> tag but this also didn't work. Every >>>> other notification is correctly send (ossec start and everything above >>>> level >>>> 7). For the meantime I want to have all active_response action send to >>>> me >>>> immediately to finetune the system. >>>> >>>> And before you ask. Yes I checked with analogi that there where indeed >>>> alerts triggering rules 601 and 602. I also have a minimal >>>> local_rules.xml >>>> (Listen ports warning and load average warning) and an extended ar_log >>>> decoder in my local_decoder.xml (added German weekdays to the regex). >>>> >>>> Regards >>>> Christian >>> >>> What is your email_alert_level set to? 601 is only a level 3, so if >>> it's set higher than that you shouldn't expect email notification. >> >> email_alert_level is set to 7. But I don't really want to lower this just >> get the ar notifications on top. I thought that for individual email >> notifications this alert level is ignored. As it is a global setting I will >> overwrite the rules in question and set the level to 7 for the meantime. > > > I added this to my rules/local_rules.xml file: > > <group name="ossec,"> > <rule id="601" level="7" overwrite="yes"> > <if_sid>600</if_sid> > <action>firewall-drop.sh</action> > <status>add</status> > <description>Host Blocked by firewall-drop.sh Active > Response</description> > <group>active_response,</group> > </rule> > > <rule id="602" level="7" overwrite="yes"> > <if_sid>600</if_sid> > <action>firewall-drop.sh</action> > <status>delete</status> > <description>Host Unblocked by firewall-drop.sh Active > Response</description> > <group>active_response,</group> > </rule> > </group> > > And this had some sideeffects you should know about. Rule 601 was triggered > by rule 3306 last night resulting in: > > ----------------------------------------------------------------------- > ** Alert 1343766114.30760: mail - ossec,active_response, > 2012 Jul 31 22:21:54 SERVER->/var/local/ossec/logs/active-responses.log > Rule: 601 (level 7) -> 'Host Blocked by firewall-drop.sh Active Response' > Src IP: 118.161.77.138 > Di 31. Jul 22:21:52 CEST 2012 > /var/local/ossec/active-response/bin/firewall-drop.sh add - 118.161.77.138 > 1343766112.29613 3306 > > ** Alert 1343766744.31117: mail - ossec,active_response, > 2012 Jul 31 22:32:24 SERVER->/var/local/ossec/logs/active-responses.log > Rule: 602 (level 7) -> 'Host Unblocked by firewall-drop.sh Active Response' > Src IP: 118.161.77.138 > Di 31. Jul 22:32:24 CEST 2012 > /var/local/ossec/active-response/bin/firewall-drop.sh delete - > 118.161.77.138 1343766112.29613 3306 > ----------------------------------------------------------------------- > > Everything fine till here, but now it's getting weird. The unblocking for > rule 3306 triggered a new block because of rule 602. And this repeats every > 10 minutes (the configured intervall for blocking) > > ----------------------------------------------------------------------- > ** Alert 1343766746.31479: mail - ossec,active_response, > 2012 Jul 31 22:32:26 SERVER->/var/local/ossec/logs/active-responses.log > Rule: 601 (level 7) -> 'Host Blocked by firewall-drop.sh Active Response' > Src IP: 118.161.77.138 > Di 31. Jul 22:32:24 CEST 2012 > /var/local/ossec/active-response/bin/firewall-drop.sh add - 118.161.77.138 > 1343766744.31117 602 > > ** Alert 1343767377.32437: mail - ossec,active_response, > 2012 Jul 31 22:42:57 SERVER->/var/local/ossec/logs/active-responses.log > Rule: 602 (level 7) -> 'Host Unblocked by firewall-drop.sh Active Response' > Src IP: 118.161.77.138 > Di 31. Jul 22:42:57 CEST 2012 > /var/local/ossec/active-response/bin/firewall-drop.sh delete - > 118.161.77.138 1343766744.31117 602 > > ** Alert 1343767379.32798: mail - ossec,active_response, > 2012 Jul 31 22:42:59 SERVER->/var/local/ossec/logs/active-responses.log > Rule: 601 (level 7) -> 'Host Blocked by firewall-drop.sh Active Response' > Src IP: 118.161.77.138 > Di 31. Jul 22:42:57 CEST 2012 > /var/local/ossec/active-response/bin/firewall-drop.sh add - 118.161.77.138 > 1343767377.32437 602 > > ** Alert 1343768010.33154: mail - ossec,active_response, > 2012 Jul 31 22:53:30 SERVER->/var/local/ossec/logs/active-responses.log > Rule: 602 (level 7) -> 'Host Unblocked by firewall-drop.sh Active Response' > Src IP: 118.161.77.138 > Di 31. Jul 22:53:30 CEST 2012 > /var/local/ossec/active-response/bin/firewall-drop.sh delete - > 118.161.77.138 1343767377.32437 602 > > ** Alert 1343768012.33515: mail - ossec,active_response, > 2012 Jul 31 22:53:32 SERVER->/var/local/ossec/logs/active-responses.log > Rule: 601 (level 7) -> 'Host Blocked by firewall-drop.sh Active Response' > Src IP: 118.161.77.138 > ----------------------------------------------------------------------- > > I then commented out the rule 602 overwrite in local_rules.xml and this > endless flood of alerts was stopped. Just posting so you know this didn't > really work as expected. I still think that individual email notifications > should not be influenced by email_alert_level. Maybe someone can pass this > to the developers. > > Regards > Christian
Either open an issue, or hope someone who wants that behavior and will actually code it reads your email.
