Thanks Eero! Anything specific to look for that could conflict with this particular alert - mail alerts seems to be working fine for other rules?
I checked the mail.info for anything obvious, but couldn't see anything suspicious at a first glance... Best regards, Fredrik On Wednesday, February 24, 2016 at 7:54:43 AM UTC+1, Eero Volotinen wrote: > > Please check your mail server configuration? > > 2016-02-24 8:28 GMT+02:00 Fredrik <[email protected] <javascript:>>: > >> Thanks Santiago, please find more details below. >> >> Best regards, >> Fredrik >> >> Yes, I see the alert written to alerts.log (pulled the alert below out of >> the archive from yesterday) and email alerts are working for other rules. I >> also restarted ossec but to no avail. Strange! >> >> ossec-alerts-23.log.gz: >> Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr >> SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723 >> !jar Number of infections: 1 Last detection time(UTC time): 8/5/2013 10: >> 42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\ >> 6.0\9\748789-14f29c54 Quarantine Succeeded >> >> ossec.conf: >> <alerts> >> <log_alert_level>1</log_alert_level> >> <email_alert_level>7</email_alert_level> >> </alerts> >> >> >> >> >> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett >> wrote: >>> >>> Did you say other alerts are triggering emails correctly? Everything >>> looks good to me, but here are some questions that might help troubleshoot >>> the problem. >>> >>> Do you see the alert in alerts.log file? >>> Have you configured other global email settings? >>> What is your email_alerts_level? >>> >>> >>> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik <[email protected]> wrote: >>> >>>> Hi All, >>>> >>>> Another question for all you Ossec gurus. I have another rule set up to >>>> handle messages in a somewhat strange format (below). I would like this to >>>> ultimately trigger an email alert - which is working for other rules. >>>> >>>> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com >>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection >>>> time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\ >>>> LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine >>>> Succeeded >>>> >>>> I see that an alert is written to alerts.log, and ossec-logtest >>>> finished processing with **Alert to be generated. However, no email is >>>> sent? >>>> >>>> <group name="attack,virus"> >>>> <rule id="100130" level="12"> >>>> <decoded_as>MSSCEP</decoded_as> >>>> <options>alert_by_email</options> >>>> <description>SCEP malware alert</description> >>>> </rule> >>>> </group> >>>> >>>> As I wasn't sure how to best extract fields from the message above, the >>>> decoder simply matches on <program_name>, please feel free to suggest >>>> variants to decode the message and make use of the fields available in >>>> OSSEC. Perhaps my failure to do so, can have something to do with the >>>> missing email alert? >>>> >>>> <decoder name="MSSCEP"> >>>> <program_name>SCEP</program_name> >>>> <type>syslog</type> >>>> </decoder> >>>> >>>> >>>> Finally, output from ossec-logtest: >>>> >>>> **Phase 1: Completed pre-decoding. >>>> full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware >>>> alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of >>>> infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM >>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >>>> >>>> Quarantine Succeeded' >>>> hostname: 'ossec-srv' >>>> program_name: 'SCEP' >>>> log: 'Malware alert: client2.domain.com >>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection >>>> time(UTC time): 8/5/2013 10:42:41 AM >>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >>>> >>>> Quarantine Succeeded' >>>> >>>> **Phase 2: Completed decoding. >>>> decoder: 'MSSCEP' >>>> >>>> **Phase 3: Completed filtering (rules). >>>> Rule id: '100130' >>>> Level: '12' >>>> Description: 'SCEP malware alert' >>>> **Alert to be generated. >>>> >>>> Best regards, >>>> Fredrik >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
