[ossec-list] Alert fires, but no email generated?

Tue, 23 Feb 2016 12:11:52 -0800 

Hi All,

Another question for all you Ossec gurus. I have another rule set up to 
handle messages in a somewhat strange format (below). I would like this to 
ultimately trigger an email alert - which is working for other rules. 

Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com 
Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection time(UTC 
time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\LocalLow\Sun\Java\
Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded

I see that an alert is written to alerts.log, and ossec-logtest finished 
processing with **Alert to be generated. However, no email is sent? 

<group name="attack,virus">
   <rule id="100130" level="12">
   <decoded_as>MSSCEP</decoded_as>
   <options>alert_by_email</options>
   <description>SCEP malware alert</description>
  </rule>
</group>

As I wasn't sure how to best extract fields from the message above, the 
decoder simply matches on <program_name>, please feel free to suggest 
variants to decode the message and make use of the fields available in 
OSSEC. Perhaps my failure to do so, can have something to do with the 
missing email alert?

<decoder name="MSSCEP">
  <program_name>SCEP</program_name>
  <type>syslog</type>
</decoder>


Finally, output from ossec-logtest:

**Phase 1: Completed pre-decoding.
       full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: 
client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 1 
Last detection time(UTC time): 8/5/2013 10:42:41 AM 
file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
 
Quarantine Succeeded'
       hostname: 'ossec-srv'
       program_name: 'SCEP'
       log: 'Malware alert: client2.domain.com 
Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection 
time(UTC time): 8/5/2013 10:42:41 AM 
file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
 
Quarantine Succeeded'

**Phase 2: Completed decoding.
       decoder: 'MSSCEP'

**Phase 3: Completed filtering (rules).
       Rule id: '100130'
       Level: '12'
       Description: 'SCEP malware alert'
**Alert to be generated.

Best regards,
Fredrik 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to