On Mon, Mar 11, 2013 at 4:41 PM, Rhoads, Robert W. <[email protected]> wrote: > Here is an example of an alert I would think would be emailed out given its > alert level (substitutions made to protect data): > > ** Alert 1363025973.366006859: mail - ids,fts, > 2013 Mar 11 14:19:33 (SNORTsvr) <ip address> ->/var/snort/logs/alerts > Rule: 20100 (level 8) -> 'First time this IDS alert is generated.' > Src IP: <ip address> > Dst IP: <ip address> > 03/11-13:19:30.519963 [**] [1:2000488:7] ET EXPLOIT MS-SQL SQL Injection > closing string plus line comment [**] [Classification: Attempted User > Privilege Gain] [Priority: 1] {TCP <ip address>:63836 -> <ip address>:1433 > > > The ossec.conf section for email is: > > <global> > <email_notification>yes</email_notification> > <email_to>[email protected]</email_to> > <email_to>[email protected]</email_to> > <smtp_server>1.2.3.4</smtp_server> > <email_from>[email protected]</email_from> > </global> >
I can't think of a reason offhand that wouldn't send an email. If you have access to the maillogs you could try seeing if the mail server rejected the messages. If you don't, getting a packet capture when one of these alerts fire might be helpful to see if OSSEC tries to send the email. > > Rob > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Monday, March 11, 2013 4:06 PM > To: [email protected] > Subject: Re: [ossec-list] Newish to Ossec with question > > On Mon, Mar 11, 2013 at 3:48 PM, Rhoads, Robert W. > <[email protected]> wrote: >> Hello to everyone. I am fairly new to OSSEC and need a little >> assistance or nudge in the right direction. >> >> >> >> I have installed the OSSEC agent on a Linux system running SNORT, and >> have configured the OSSEC agent to look at and read the SNORT alert >> file. I have confirmed that this does work, and according to the >> OSSEC alert log on the server, OSSEC server sees and generates an >> alert on IDS events...however, these alerts OSSEC sees and generates in its >> log file are not emailed out. >> The setting for email alerts is set to level 7, and while the majority >> are at level six, several level 8 and level 10 alerts do appear in the >> log file and email was never generated. I am receiving email alerts >> for other type alerts generated by OSSEC. >> >> >> >> Do I need to create my own rule to get OSSEC to email the alerts to >> me? If not, where might I go poking around to solve this? >> >> >> >> Respectfully, >> >> >> >> Robert Rhoads >> >> >> > > What alerts are you seeing in your ossec alerts.log that you expect emails > on? How do you have email setup in ossec? > >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
