Hello, I keep getting the following email notification from the ossec server.
OSSEC HIDS Notification. 2015 Jan 12 06:00:01 Received From: trinity->/var/log/maillog Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Jan 12 06:00:00 trinity smtpd[1161]: smtp-out: Error on session 07918aa71d08e40c: Connection failed: No route to host --END OF NOTIFICATION This message occur because I relay my email to Gmail. By default, the system try to connect to the Google mail server via ipv6. As I don't have Ipv6 setup on my machine, it then to go connect via ipv4 and the message get send successfully... In order to stop receiving this email notification, I added the following rule in my rules/local_rules.xml <rule id="ID" level="0"> <if_sid>1002</if_sid> <program_name>^smtpd</program_name> <match>Connection failed: No route to host</match> <description>Ignore no route to host errors</description> </rule> This rule rule stop me from receiving the SMTP email if things go wrong on my ipv4 which is not so great. This is the message cat /var/log/maillog | grep smtpd Jan 13 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Connecting to tls://IPv6:2a00:1450:400c:c0a::6d:587 (2a00:1450:400c:c0a::6d) on session 07918ac90ad1a38e... Jan 13 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Error on session 07918ac90ad1a38e: Connection failed: No route to host Jan 13 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Disabling route [] <-> IPv6:2a00:1450:400c:c0a::6d (2a00:1450:400c:c0a::6d) for 800s Jan 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Connecting to tls://173.194.66.108:587 (we-in-f108.1e100.net) on session 07918acafef9207e... Jan 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Connected on session 07918acafef9207e Jan 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Started TLS on session 07918acafef9207e: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128 Jan 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Server certificate verification succeeded on session 07918acafef9207e Jan 13 06:00:04 FreeBSDHost smtpd[1163]: smtp-in: New session eb3da34a86b2b728 from host localhost [127.0.0.1] Jan 13 06:00:04 FreeBSDHost smtpd[1163]: smtp-in: Accepted message 584a94dc on session eb3da34a86b2b728: from=<[email protected]>, to=<[email protected]>, size=500, ndest=1, proto=SMTP Jan 13 06:00:04 FreeBSDHost smtpd[1163]: smtp-in: Closing session eb3da34a86b2b728 Jan 13 06:00:04 FreeBSDHost smtpd[1161]: relay: Ok for 1f0e0496ba195f5b: session=07918acafef9207e, from=<[email protected]>, to=<[email protected]>, rcpt=<[email protected]>, source=192.168.1.175, relay=173.194.66.108 (we-in-f108.1e100.net), delay=4s, stat=250 2.0.0 OK 1421128804 ej10sm12863329wib.1 - gsmtp Jan 13 06:00:07 FreeBSDHost smtpd[1161]: relay: Ok for 584a94dc54b22613: session=07918acafef9207e, from=<[email protected]>, to=<[email protected]>, rcpt=<->, source=192.168.1.175, relay=173.194.66.108 (we-in-f108.1e100.net), delay=3s, stat=250 2.0.0 OK 1421128807 ej10sm12863329wib.1 - gsmtp Jan 13 06:00:17 FreeBSDHost smtpd[1161]: smtp-out: Closing session 07918acafef9207e: 2 messages sent. Jan 13 06:13:20 FreeBSDHost smtpd[1161]: smtp-out: Enabling route [] <-> IPv6:2a00:1450:400c:c0a::6d (2a00:1450:400c:c0a::6d) Now how could I write a rule like I did before but with the exception to ignore: smtp-out: Connecting to tls://IPv6 Thank you very much Fred -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
