Let me re post the original message: --- Hello,
I keep getting the following email notification from the ossec server. OSSEC HIDS Notification. 2015 Jan 12 06:00:01 Received From: trinity->/var/log/maillog Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Jan 12 06:00:00 trinity smtpd[1161]: smtp-out: Error on session 07918aa71d08e40c: Connection failed: No route to host --END OF NOTIFICATION This message occur because I relay my email to Gmail. By default, the system try to connect to the Google mail server via ipv6. As I don't have Ipv6 setup on my machine, it then to go connect via ipv4 and the message get send successfully... In order to stop receiving this email notification, I added the following rule in my rules/local_rules.xml <rule id="ID" level="0"> <if_sid>1002</if_sid> <program_name>^smtpd</program_name> <match>Connection failed: No route to host</match> <description>Ignore no route to host errors</description> </rule> This rule rule stop me from receiving the SMTP email if things go wrong on my ipv4 which is not so great. This is the message cat /var/log/maillog | grep smtpd Jan 13 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Connecting to tls://IPv6:2a00:1450:400c:c0a::6d:587 (2a00:1450:400c:c0a::6d) on session 07918ac90ad1a38e... Jan 13 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Error on session 07918ac90ad1a38e: Connection failed: No route to host Jan 13 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Disabling route [] <-> IPv6:2a00:1450:400c:c0a::6d (2a00:1450:400c:c0a::6d) for 800s Jan 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Connecting to tls://173.194.66.108:587 (we-in-f108.1e100.net) on session 07918acafef9207e... Jan 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Connected on session 07918acafef9207e Jan 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Started TLS on session 07918acafef9207e: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128 Jan 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Server certificate verification succeeded on session 07918acafef9207e Jan 13 06:00:04 FreeBSDHost smtpd[1163]: smtp-in: New session eb3da34a86b2b728 from host localhost [127.0.0.1] Jan 13 06:00:04 FreeBSDHost smtpd[1163]: smtp-in: Accepted message 584a94dc on session eb3da34a86b2b728: from=<[email protected]>, to=< [email protected]>, size=500, ndest=1, proto=SMTP Jan 13 06:00:04 FreeBSDHost smtpd[1163]: smtp-in: Closing session eb3da34a86b2b728 Jan 13 06:00:04 FreeBSDHost smtpd[1161]: relay: Ok for 1f0e0496ba195f5b: session=07918acafef9207e, from=<[email protected]>, to=< [email protected]>, rcpt=<[email protected]>, source= 192.168.1.175, relay=173.194.66.108 (we-in-f108.1e100.net), delay=4s, stat= 250 2.0.0 OK 1421128804 ej10sm12863329wib.1 - gsmtp Jan 13 06:00:07 FreeBSDHost smtpd[1161]: relay: Ok for 584a94dc54b22613: session=07918acafef9207e, from=<[email protected]>, to=< [email protected]>, rcpt=<->, source=192.168.1.175, relay=173.194. 66.108 (we-in-f108.1e100.net), delay=3s, stat=250 2.0.0 OK 1421128807 ej10sm12863329wib.1 - gsmtp Jan 13 06:00:17 FreeBSDHost smtpd[1161]: smtp-out: Closing session 07918acafef9207e: 2 messages sent. Jan 13 06:13:20 FreeBSDHost smtpd[1161]: smtp-out: Enabling route [] <-> IPv6:2a00:1450:400c:c0a::6d (2a00:1450:400c:c0a::6d) Now how could I write a rule like I did before but with the exception to ignore: smtp-out: Connecting to tls://IPv6 Thank you very much. hope this is clearer Fred On Wednesday, 21 January 2015 11:02:40 UTC, Fred974 wrote: > > Hello, > > I keep getting the following email notification from the ossec server. > > OSSEC HIDS Notification. 2015 Jan 12 06:00:01 Received From: > trinity->/var/log/maillog Rule: 1002 fired (level 2) -> "Unknown problem > somewhere in the system." Portion of the log(s): Jan 12 06:00:00 trinity > smtpd[1161]: smtp-out: Error on session 07918aa71d08e40c: Connection failed: > No route to host --END OF NOTIFICATION > > This message occur because I relay my email to Gmail. By default, the > system try to connect to the Google mail server via ipv6. As I don't > have Ipv6 setup on my machine, it then to go connect via ipv4 and the > message get send successfully... > > > In order to stop receiving this email notification, I added the following > rule in my rules/local_rules.xml > <rule id="ID" level="0"> <if_sid>1002</if_sid> > <program_name>^smtpd</program_name> <match>Connection failed: No route to > host</match> <description>Ignore no route to host errors</description> > </rule> > > This rule rule stop me from receiving the SMTP email if things go wrong on my > ipv4 which is not so great. > > This is the message cat /var/log/maillog | grep smtpd > > Jan 13 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Connecting to > tls://IPv6:2a00:1450:400c:c0a::6d:587 (2a00:1450:400c:c0a::6d) on session > 07918ac90ad1a38e... Jan 13 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Error > on session 07918ac90ad1a38e: Connection failed: No route to host Jan 13 > 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Disabling route [] <-> > IPv6:2a00:1450:400c:c0a::6d (2a00:1450:400c:c0a::6d) for 800s Jan 13 06:00:02 > FreeBSDHost smtpd[1161]: smtp-out: Connecting to tls://173.194.66.108:587 > (we-in-f108.1e100.net) on session 07918acafef9207e... Jan 13 06:00:02 > FreeBSDHost smtpd[1161]: smtp-out: Connected on session 07918acafef9207e Jan > 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Started TLS on session > 07918acafef9207e: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES128-GCM-SHA256, > bits=128 Jan 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Server > certificate verification succeeded on session 07918acafef9207e Jan 13 > 06:00:04 FreeBSDHost smtpd[1163]: smtp-in: New session eb3da34a86b2b728 from > host localhost [127.0.0.1] Jan 13 06:00:04 FreeBSDHost smtpd[1163]: smtp-in: > Accepted message 584a94dc on session eb3da34a86b2b728: > from=<[email protected]>, to=<[email protected]>, > size=500, ndest=1, proto=SMTP Jan 13 06:00:04 FreeBSDHost smtpd[1163]: > smtp-in: Closing session eb3da34a86b2b728 Jan 13 06:00:04 FreeBSDHost > smtpd[1161]: relay: Ok for 1f0e0496ba195f5b: session=07918acafef9207e, > from=<[email protected]>, to=<[email protected]>, > rcpt=<[email protected]>, source=192.168.1.175, > relay=173.194.66.108 (we-in-f108.1e100.net), delay=4s, stat=250 2.0.0 OK > 1421128804 ej10sm12863329wib.1 - gsmtp Jan 13 06:00:07 FreeBSDHost > smtpd[1161]: relay: Ok for 584a94dc54b22613: session=07918acafef9207e, > from=<[email protected]>, to=<[email protected]>, > rcpt=<->, source=192.168.1.175, relay=173.194.66.108 (we-in-f108.1e100.net), > delay=3s, stat=250 2.0.0 OK 1421128807 ej10sm12863329wib.1 - gsmtp Jan 13 > 06:00:17 FreeBSDHost smtpd[1161]: smtp-out: Closing session 07918acafef9207e: > 2 messages sent. Jan 13 06:13:20 FreeBSDHost smtpd[1161]: smtp-out: Enabling > route [] <-> IPv6:2a00:1450:400c:c0a::6d (2a00:1450:400c:c0a::6d) > > > Now how could I write a rule like I did before but with the exception to > ignore: > smtp-out: Connecting to tls://IPv6 > > > Thank you very much > Fred > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
