On Wed, Jan 21, 2015 at 8:58 AM, Fred974 <[email protected]> wrote: > Let me re post the original message: > --- > > > Hello, > > I keep getting the following email notification from the ossec server. > OSSEC HIDS Notification. > 2015 Jan 12 06:00:01 > > Received From: trinity->/var/log/maillog > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Jan 12 06:00:00 trinity smtpd[1161]: smtp-out: Error on session > 07918aa71d08e40c: Connection failed: No route to host > > > --END OF NOTIFICATION > > This message occur because I relay my email to Gmail. By default, the system > try to connect to the Google mail server via ipv6. As I don't have Ipv6 > setup on my machine, it then to go connect via ipv4 and the message get send > successfully... > > In order to stop receiving this email notification, I added the following > rule in my rules/local_rules.xml > <rule id="ID" level="0"> > <if_sid>1002</if_sid> > <program_name>^smtpd</program_name> > <match>Connection failed: No route to host</match> > <description>Ignore no route to host errors</description> > </rule> > > This rule rule stop me from receiving the SMTP email if things go wrong on > my ipv4 which is not so great. > > This is the message cat /var/log/maillog | grep smtpd > Jan 13 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Connecting to > tls://IPv6:2a00:1450:400c:c0a::6d:587 (2a00:1450:400c:c0a::6d) on session > 07918ac90ad1a38e... > Jan 13 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Error on session > 07918ac90ad1a38e: Connection failed: No route to host
Since the error message doesn't include the information you want to filter on, it really looks like you'll have to mess with the accumulate stuff. > Jan 13 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Disabling route [] <-> > IPv6:2a00:1450:400c:c0a::6d (2a00:1450:400c:c0a::6d) for 800s > Jan 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Connecting to > tls://173.194.66.108:587 (we-in-f108.1e100.net) on session > 07918acafef9207e... > Jan 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Connected on session > 07918acafef9207e > Jan 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Started TLS on session > 07918acafef9207e: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES128-GCM-SHA256, > bits=128 > Jan 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Server certificate > verification succeeded on session 07918acafef9207e > Jan 13 06:00:04 FreeBSDHost smtpd[1163]: smtp-in: New session > eb3da34a86b2b728 from host localhost [127.0.0.1] > Jan 13 06:00:04 FreeBSDHost smtpd[1163]: smtp-in: Accepted message 584a94dc > on session eb3da34a86b2b728: from=<[email protected]>, > to=<[email protected]>, size=500, ndest=1, proto=SMTP > Jan 13 06:00:04 FreeBSDHost smtpd[1163]: smtp-in: Closing session > eb3da34a86b2b728 > Jan 13 06:00:04 FreeBSDHost smtpd[1161]: relay: Ok for 1f0e0496ba195f5b: > session=07918acafef9207e, from=<[email protected]>, > to=<[email protected]>, rcpt=<[email protected]>, > source=192.168.1.175, relay=173.194.66.108 (we-in-f108.1e100.net), delay=4s, > stat=250 2.0.0 OK 1421128804 ej10sm12863329wib.1 - gsmtp > Jan 13 06:00:07 FreeBSDHost smtpd[1161]: relay: Ok for 584a94dc54b22613: > session=07918acafef9207e, from=<[email protected]>, > to=<[email protected]>, rcpt=<->, source=192.168.1.175, > relay=173.194.66.108 (we-in-f108.1e100.net), delay=3s, stat=250 2.0.0 OK > 1421128807 ej10sm12863329wib.1 - gsmtp > Jan 13 06:00:17 FreeBSDHost smtpd[1161]: smtp-out: Closing session > 07918acafef9207e: 2 messages sent. > Jan 13 06:13:20 FreeBSDHost smtpd[1161]: smtp-out: Enabling route [] <-> > IPv6:2a00:1450:400c:c0a::6d (2a00:1450:400c:c0a::6d) > > > Now how could I write a rule like I did before but with the exception to > ignore: > > smtp-out: Connecting to tls://IPv6 > > > > Thank you very much. hope this is clearer > > Fred > > > > > > On Wednesday, 21 January 2015 11:02:40 UTC, Fred974 wrote: >> >> Hello, >> >> I keep getting the following email notification from the ossec server. >> >> OSSEC HIDS Notification. 2015 Jan 12 06:00:01 Received From: >> trinity->/var/log/maillog Rule: 1002 fired (level 2) -> "Unknown problem >> somewhere in the system." Portion of the log(s): Jan 12 06:00:00 trinity >> smtpd[1161]: smtp-out: Error on session 07918aa71d08e40c: Connection failed: >> No route to host --END OF NOTIFICATION >> >> This message occur because I relay my email to Gmail. By default, the >> system try to connect to the Google mail server via ipv6. As I don't >> have Ipv6 setup on my machine, it then to go connect via ipv4 and the >> message get send successfully... >> >> >> In order to stop receiving this email notification, I added the following >> rule in my rules/local_rules.xml >> <rule id="ID" level="0"> <if_sid>1002</if_sid> >> <program_name>^smtpd</program_name> <match>Connection failed: No route to >> host</match> <description>Ignore no route to host errors</description> >> </rule> >> >> This rule rule stop me from receiving the SMTP email if things go wrong on >> my ipv4 which is not so great. >> >> This is the message cat /var/log/maillog | grep smtpd >> >> >> Jan 13 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Connecting to >> tls://IPv6:2a00:1450:400c:c0a::6d:587 (2a00:1450:400c:c0a::6d) on session >> 07918ac90ad1a38e... Jan 13 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Error >> on session 07918ac90ad1a38e: Connection failed: No route to host Jan 13 >> 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Disabling route [] <-> >> IPv6:2a00:1450:400c:c0a::6d (2a00:1450:400c:c0a::6d) for 800s Jan 13 >> 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Connecting to >> tls://173.194.66.108:587 (we-in-f108.1e100.net) on session >> 07918acafef9207e... Jan 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: >> Connected on session 07918acafef9207e Jan 13 06:00:02 FreeBSDHost >> smtpd[1161]: smtp-out: Started TLS on session 07918acafef9207e: >> version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128 Jan 13 >> 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Server certificate verification >> succeeded on session 07918acafef9207e Jan 13 06:00:04 FreeBSDHost >> smtpd[1163]: smtp-in: New session eb3da34a86b2b728 from host localhost >> [127.0.0.1] Jan 13 06:00:04 FreeBSDHost smtpd[1163]: smtp-in: Accepted >> message 584a94dc on session eb3da34a86b2b728: >> from=<[email protected]>, to=<[email protected]>, >> size=500, ndest=1, proto=SMTP Jan 13 06:00:04 FreeBSDHost smtpd[1163]: >> smtp-in: Closing session eb3da34a86b2b728 Jan 13 06:00:04 FreeBSDHost >> smtpd[1161]: relay: Ok for 1f0e0496ba195f5b: session=07918acafef9207e, >> from=<[email protected]>, to=<[email protected]>, >> rcpt=<[email protected]>, source=192.168.1.175, >> relay=173.194.66.108 (we-in-f108.1e100.net), delay=4s, stat=250 2.0.0 OK >> 1421128804 ej10sm12863329wib.1 - gsmtp Jan 13 06:00:07 FreeBSDHost >> smtpd[1161]: relay: Ok for 584a94dc54b22613: session=07918acafef9207e, >> from=<[email protected]>, to=<[email protected]>, >> rcpt=<->, source=192.168.1.175, relay=173.194.66.108 (we-in-f108.1e100.net), >> delay=3s, stat=250 2.0.0 OK 1421128807 ej10sm12863329wib.1 - gsmtp Jan 13 >> 06:00:17 FreeBSDHost smtpd[1161]: smtp-out: Closing session >> 07918acafef9207e: 2 messages sent. Jan 13 06:13:20 FreeBSDHost smtpd[1161]: >> smtp-out: Enabling route [] <-> IPv6:2a00:1450:400c:c0a::6d >> (2a00:1450:400c:c0a::6d) >> >> >> Now how could I write a rule like I did before but with the exception to >> ignore: >> smtp-out: Connecting to tls://IPv6 >> >> >> Thank you very much >> Fred >> >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
