On Wed, Jan 21, 2015 at 6:02 AM, Fred974 <[email protected]> wrote: > Hello, > > I keep getting the following email notification from the ossec server. > > OSSEC HIDS Notification. 2015 Jan 12 06:00:01 Received From: > trinity->/var/log/maillog Rule: 1002 fired (level 2) -> "Unknown problem > somewhere in the system." Portion of the log(s): Jan 12 06:00:00 trinity > smtpd[1161]: smtp-out: Error on session 07918aa71d08e40c: Connection failed: > No route to host --END OF NOTIFICATION > > This message occur because I relay my email to Gmail. By default, the > system try to connect to the Google mail server via ipv6. As I don't > have Ipv6 setup on my machine, it then to go connect via ipv4 and the > message get send successfully... > > > In order to stop receiving this email notification, I added the following > rule in my rules/local_rules.xml > <rule id="ID" level="0"> <if_sid>1002</if_sid> > <program_name>^smtpd</program_name> <match>Connection failed: No route to > host</match> <description>Ignore no route to host errors</description> > </rule> > > This rule rule stop me from receiving the SMTP email if things go wrong on > my ipv4 which is not so great. > > This is the message cat /var/log/maillog | grep smtpd > > > Jan 13 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Connecting to > tls://IPv6:2a00:1450:400c:c0a::6d:587 (2a00:1450:400c:c0a::6d) on session > 07918ac90ad1a38e... Jan 13 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Error > on session 07918ac90ad1a38e: Connection failed: No route to host Jan 13 > 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Disabling route [] <-> > IPv6:2a00:1450:400c:c0a::6d (2a00:1450:400c:c0a::6d) for 800s Jan 13 > 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Connecting to > tls://173.194.66.108:587 (we-in-f108.1e100.net) on session > 07918acafef9207e... Jan 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: > Connected on session 07918acafef9207e Jan 13 06:00:02 FreeBSDHost > smtpd[1161]: smtp-out: Started TLS on session 07918acafef9207e: > version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128 Jan 13 > 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Server certificate verification > succeeded on session 07918acafef9207e Jan 13 06:00:04 FreeBSDHost > smtpd[1163]: smtp-in: New session eb3da34a86b2b728 from host localhost > [127.0.0.1] Jan 13 06:00:04 FreeBSDHost smtpd[1163]: smtp-in: Accepted > message 584a94dc on session eb3da34a86b2b728: > from=<[email protected]>, to=<[email protected]>, > size=500, ndest=1, proto=SMTP Jan 13 06:00:04 FreeBSDHost smtpd[1163]: > smtp-in: Closing session eb3da34a86b2b728 Jan 13 06:00:04 FreeBSDHost > smtpd[1161]: relay: Ok for 1f0e0496ba195f5b: session=07918acafef9207e, > from=<[email protected]>, to=<[email protected]>, > rcpt=<[email protected]>, source=192.168.1.175, > relay=173.194.66.108 (we-in-f108.1e100.net), delay=4s, stat=250 2.0.0 OK > 1421128804 ej10sm12863329wib.1 - gsmtp Jan 13 06:00:07 FreeBSDHost > smtpd[1161]: relay: Ok for 584a94dc54b22613: session=07918acafef9207e, > from=<[email protected]>, to=<[email protected]>, > rcpt=<->, source=192.168.1.175, relay=173.194.66.108 (we-in-f108.1e100.net), > delay=3s, stat=250 2.0.0 OK 1421128807 ej10sm12863329wib.1 - gsmtp Jan 13 > 06:00:17 FreeBSDHost smtpd[1161]: smtp-out: Closing session > 07918acafef9207e: 2 messages sent. Jan 13 06:13:20 FreeBSDHost smtpd[1161]: > smtp-out: Enabling route [] <-> IPv6:2a00:1450:400c:c0a::6d > (2a00:1450:400c:c0a::6d) >
Something happened with the formatting and all this got jumbled. > > Now how could I write a rule like I did before but with the exception to > ignore: > smtp-out: Connecting to tls://IPv6 > I don't see that in the original log message. If the session field keeps track of actual sessions and is the same, you might be able to use the accumulator functionality to keep track of this information between log messages. http://ossec-docs.readthedocs.org/en/latest/syntax/head_decoders.html?highlight=accumulator#element-decoder.accumulate > > Thank you very much > Fred > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
