Thanks Eero!

Yes, this works in my setup :) Tried it to make sure. Sendmail is installed 
on this particular box, so changed mail into sendmail and fired away :)

Best regards,
Fredrik 

On Wednesday, February 24, 2016 at 8:12:41 AM UTC+1, Eero Volotinen wrote:
>
> is this working on your ossec server:
>
> echo foo | mail youremail@yourdomain -s 'test'
>
> could you give example of your mail configuration? 
>
> Eero
>
> 2016-02-24 9:00 GMT+02:00 Fredrik <[email protected] <javascript:>>:
>
>> Thanks Eero!
>>
>> Anything specific to look for that could conflict with this particular 
>> alert - mail alerts seems to be working fine for other rules? 
>>
>> I checked the mail.info for anything obvious, but couldn't see anything 
>> suspicious at a first glance...
>>
>> Best regards,
>> Fredrik 
>>
>> On Wednesday, February 24, 2016 at 7:54:43 AM UTC+1, Eero Volotinen wrote:
>>>
>>> Please check your mail server configuration?
>>>
>>> 2016-02-24 8:28 GMT+02:00 Fredrik <[email protected]>:
>>>
>>>> Thanks Santiago, please find more details below.
>>>>
>>>> Best regards,
>>>> Fredrik 
>>>>
>>>> Yes, I see the alert written to alerts.log (pulled the alert below out 
>>>> of the archive from yesterday) and email alerts are working for other 
>>>> rules. I also restarted ossec but to no avail. Strange! 
>>>>
>>>> ossec-alerts-23.log.gz:
>>>> Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr 
>>>> SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-
>>>> 1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/
>>>> 2013 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\
>>>> Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded
>>>>
>>>> ossec.conf:
>>>>  <alerts>
>>>>    <log_alert_level>1</log_alert_level>
>>>>    <email_alert_level>7</email_alert_level>
>>>>  </alerts>
>>>>
>>>>
>>>>  
>>>>
>>>> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett 
>>>> wrote:
>>>>>
>>>>> Did you say other alerts are triggering emails correctly? Everything 
>>>>> looks good to me, but here are some questions that might help 
>>>>> troubleshoot 
>>>>> the problem.
>>>>>
>>>>> Do you see the alert in alerts.log file?
>>>>> Have you configured other global email settings? 
>>>>> What is your email_alerts_level?
>>>>>
>>>>>
>>>>> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik <[email protected]> wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> Another question for all you Ossec gurus. I have another rule set up 
>>>>>> to handle messages in a somewhat strange format (below). I would like 
>>>>>> this 
>>>>>> to ultimately trigger an email alert - which is working for other rules. 
>>>>>>
>>>>>> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com 
>>>>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last 
>>>>>> detection time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\
>>>>>> AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 
>>>>>> Quarantine Succeeded
>>>>>>
>>>>>> I see that an alert is written to alerts.log, and ossec-logtest 
>>>>>> finished processing with **Alert to be generated. However, no email is 
>>>>>> sent? 
>>>>>>
>>>>>> <group name="attack,virus">
>>>>>>    <rule id="100130" level="12">
>>>>>>    <decoded_as>MSSCEP</decoded_as>
>>>>>>    <options>alert_by_email</options>
>>>>>>    <description>SCEP malware alert</description>
>>>>>>   </rule>
>>>>>> </group>
>>>>>>
>>>>>> As I wasn't sure how to best extract fields from the message above, 
>>>>>> the decoder simply matches on <program_name>, please feel free to 
>>>>>> suggest 
>>>>>> variants to decode the message and make use of the fields available in 
>>>>>> OSSEC. Perhaps my failure to do so, can have something to do with the 
>>>>>> missing email alert?
>>>>>>
>>>>>> <decoder name="MSSCEP">
>>>>>>   <program_name>SCEP</program_name>
>>>>>>   <type>syslog</type>
>>>>>> </decoder>
>>>>>>
>>>>>>
>>>>>> Finally, output from ossec-logtest:
>>>>>>
>>>>>> **Phase 1: Completed pre-decoding.
>>>>>>        full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware 
>>>>>> alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of 
>>>>>> infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM 
>>>>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
>>>>>>  
>>>>>> Quarantine Succeeded'
>>>>>>        hostname: 'ossec-srv'
>>>>>>        program_name: 'SCEP'
>>>>>>        log: 'Malware alert: client2.domain.com 
>>>>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection 
>>>>>> time(UTC time): 8/5/2013 10:42:41 AM 
>>>>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
>>>>>>  
>>>>>> Quarantine Succeeded'
>>>>>>
>>>>>> **Phase 2: Completed decoding.
>>>>>>        decoder: 'MSSCEP'
>>>>>>
>>>>>> **Phase 3: Completed filtering (rules).
>>>>>>        Rule id: '100130'
>>>>>>        Level: '12'
>>>>>>        Description: 'SCEP malware alert'
>>>>>> **Alert to be generated.
>>>>>>
>>>>>> Best regards,
>>>>>> Fredrik 
>>>>>>
>>>>>> -- 
>>>>>>
>>>>>> --- 
>>>>>> You received this message because you are subscribed to the Google 
>>>>>> Groups "ossec-list" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it, 
>>>>>> send an email to [email protected].
>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>
>>>>>
>>>>> -- 
>>>>
>>>> --- 
>>>> You received this message because you are subscribed to the Google 
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>> an email to [email protected].
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to