According to http://www.ossec.net/doc/syntax/head_ossec_config.alerts.html, <ossec_config><alerts><email_alert_level> is the minimum level for an alert to trigger an email. It overrides granular email alert levels.
However, individual rules can still override this with <rule><options>alert_by_email < as shown in http://www.ossec.net/doc/syntax/head_rules.html#element-options Just FYI, since I am not sure whether this fits your specific needs. On Wednesday, August 1, 2012 1:15:46 AM UTC-7, Christian Beer wrote: > > > Am 31.07.2012 17:56, schrieb dan (ddp): > >> On Tue, Jul 31, 2012 at 11:49 AM, ChristianB > >> <[email protected]> wrote: > >>> Hello all, > >>> > >>> I now have my local installation of OSSEC working and integrated with > my > >>> running services. So far it's working really good. There is still one > thing > >>> that is not really working. I set up email notifications for active > response > >>> rules in my ossec.conf like this: > >>> <email_alerts> > >>> <email_to>[email protected]</email_to> > >>> <rule_id>601, 602</rule_id> > >>> <do_not_delay /> > >>> <do_not_group /> > >>> </email_alerts> > >>> > >>> I also tried using the<rule_group> tag but this also didn't work. > Every > >>> other notification is correctly send (ossec start and everything above > level > >>> 7). For the meantime I want to have all active_response action send to > me > >>> immediately to finetune the system. > >>> > >>> And before you ask. Yes I checked with analogi that there where indeed > >>> alerts triggering rules 601 and 602. I also have a minimal > local_rules.xml > >>> (Listen ports warning and load average warning) and an extended ar_log > >>> decoder in my local_decoder.xml (added German weekdays to the regex). > >>> > >>> Regards > >>> Christian > >> What is your email_alert_level set to? 601 is only a level 3, so if > >> it's set higher than that you shouldn't expect email notification. > > email_alert_level is set to 7. But I don't really want to lower this > just get the ar notifications on top. I thought that for individual email > notifications this alert level is ignored. As it is a global setting I will > overwrite the rules in question and set the level to 7 for the meantime. > > I added this to my rules/local_rules.xml file: > > <group name="ossec,"> > <rule id="601" level="7" overwrite="yes"> > <if_sid>600</if_sid> > <action>firewall-drop.sh</action> > <status>add</status> > <description>Host Blocked by firewall-drop.sh Active > Response</description> > <group>active_response,</group> > </rule> > > <rule id="602" level="7" overwrite="yes"> > <if_sid>600</if_sid> > <action>firewall-drop.sh</action> > <status>delete</status> > <description>Host Unblocked by firewall-drop.sh Active > Response</description> > <group>active_response,</group> > </rule> > </group> > > And this had some sideeffects you should know about. Rule 601 was > triggered by rule 3306 last night resulting in: > > ----------------------------------------------------------------------- > ** Alert 1343766114.30760: mail - ossec,active_response, > 2012 Jul 31 22:21:54 SERVER->/var/local/ossec/logs/active-responses.log > Rule: 601 (level 7) -> 'Host Blocked by firewall-drop.sh Active Response' > Src IP: 118.161.77.138 > Di 31. Jul 22:21:52 CEST 2012 > /var/local/ossec/active-response/bin/firewall-drop.sh add - > 118.161.77.138 1343766112.29613 3306 > > ** Alert 1343766744.31117: mail - ossec,active_response, > 2012 Jul 31 22:32:24 SERVER->/var/local/ossec/logs/active-responses.log > Rule: 602 (level 7) -> 'Host Unblocked by firewall-drop.sh Active > Response' > Src IP: 118.161.77.138 > Di 31. Jul 22:32:24 CEST 2012 > /var/local/ossec/active-response/bin/firewall-drop.sh delete - > 118.161.77.138 1343766112.29613 3306 > ----------------------------------------------------------------------- > > Everything fine till here, but now it's getting weird. The unblocking > for rule 3306 triggered a new block because of rule 602. And this > repeats every 10 minutes (the configured intervall for blocking) > > ----------------------------------------------------------------------- > ** Alert 1343766746.31479: mail - ossec,active_response, > 2012 Jul 31 22:32:26 SERVER->/var/local/ossec/logs/active-responses.log > Rule: 601 (level 7) -> 'Host Blocked by firewall-drop.sh Active Response' > Src IP: 118.161.77.138 > Di 31. Jul 22:32:24 CEST 2012 > /var/local/ossec/active-response/bin/firewall-drop.sh add - > 118.161.77.138 1343766744.31117 602 > > ** Alert 1343767377.32437: mail - ossec,active_response, > 2012 Jul 31 22:42:57 SERVER->/var/local/ossec/logs/active-responses.log > Rule: 602 (level 7) -> 'Host Unblocked by firewall-drop.sh Active > Response' > Src IP: 118.161.77.138 > Di 31. Jul 22:42:57 CEST 2012 > /var/local/ossec/active-response/bin/firewall-drop.sh delete - > 118.161.77.138 1343766744.31117 602 > > ** Alert 1343767379.32798: mail - ossec,active_response, > 2012 Jul 31 22:42:59 SERVER->/var/local/ossec/logs/active-responses.log > Rule: 601 (level 7) -> 'Host Blocked by firewall-drop.sh Active Response' > Src IP: 118.161.77.138 > Di 31. Jul 22:42:57 CEST 2012 > /var/local/ossec/active-response/bin/firewall-drop.sh add - > 118.161.77.138 1343767377.32437 602 > > ** Alert 1343768010.33154: mail - ossec,active_response, > 2012 Jul 31 22:53:30 SERVER->/var/local/ossec/logs/active-responses.log > Rule: 602 (level 7) -> 'Host Unblocked by firewall-drop.sh Active > Response' > Src IP: 118.161.77.138 > Di 31. Jul 22:53:30 CEST 2012 > /var/local/ossec/active-response/bin/firewall-drop.sh delete - > 118.161.77.138 1343767377.32437 602 > > ** Alert 1343768012.33515: mail - ossec,active_response, > 2012 Jul 31 22:53:32 SERVER->/var/local/ossec/logs/active-responses.log > Rule: 601 (level 7) -> 'Host Blocked by firewall-drop.sh Active Response' > Src IP: 118.161.77.138 > ----------------------------------------------------------------------- > > I then commented out the rule 602 overwrite in local_rules.xml and this > endless flood of alerts was stopped. Just posting so you know this > didn't really work as expected. I still think that individual email > notifications should not be influenced by email_alert_level. Maybe > someone can pass this to the developers. > > Regards > Christian >
