Hello Evan,
rule 1002 matches every log which contains these words:
<var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal
|denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
and is by default configured to aler by email
<rule id="1002" level="2">
<match>$BAD_WORDS</match>
<options>*alert_by_email*</options>
<description>Unknown problem somewhere in the system.</description>
</rule>
You can create new local rule to override this for either only iptables or
all events with ID 1002
Jan
On Fri, Apr 11, 2014 at 4:23 PM, Evan <[email protected]> wrote:
> All of them are like this one:
>
> OSSEC HIDS Notification.
> 2014 Apr 11 00:48:55
>
> Received From: my_host_name->/var/log/syslog
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Apr 11 00:48:47 my_host_name kernel: iptables denied: IN=eth0 OUT=
> MAC=ff:3c:91:70:34:ec:84:38:af:0d:97:c1:09:11 SRC=xx.xx.xx.xx
> DST=xx.xx.xx.xx LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=57740 PROTO=UDP SPT=455
> DPT=123 LEN=56
>
> (I replaced both IPs with x's)
>
>
> On Thursday, April 10, 2014 9:16:13 PM UTC-5, nicolaszin wrote:
>
>> Which alerts is it?
>>
>> does the alert has a “alert_by_email” by any chance?
>>
>>
>>
>>
>> On Thu, Apr 10, 2014 at 9:03 PM, Evan <[email protected]> wrote:
>>
>>> Today I installed OSSEC on my server and I have these settings:
>>>
>>> <global>
>>> <email_notification>yes</email_notification>
>>> <email_to>[email protected]</email_to>
>>>
>>> <smtp_server>localhost</smtp_server>
>>> <email_from>ossecm@scaver</email_from>
>>> </global>
>>>
>>> <email_alerts>
>>> <email_to>[email protected]</email_to>
>>>
>>> <level>7</level>
>>> </email_alerts>
>>>
>>> Near the end of the file I have these lines as well:
>>>
>>> <alerts>
>>> <log_alert_level>1</log_alert_level>
>>> <email_alert_level>8</email_alert_level>
>>> </alerts>
>>>
>>> But with these settings I get an email from OSSEC every 5 seconds and
>>> it's a Level 2 alert. What do I need to configure so that I only get an
>>> email for level 7 and above?
>>>
>>> Thanks,
>>> Evan
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>>
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
