Thanks Eero! Yes, this works in my setup :) Tried it to make sure. Sendmail is installed on this particular box, so changed mail into sendmail and fired away :)
Best regards, Fredrik On Wednesday, February 24, 2016 at 8:12:41 AM UTC+1, Eero Volotinen wrote: > > is this working on your ossec server: > > echo foo | mail youremail@yourdomain -s 'test' > > could you give example of your mail configuration? > > Eero > > 2016-02-24 9:00 GMT+02:00 Fredrik <[email protected] <javascript:>>: > >> Thanks Eero! >> >> Anything specific to look for that could conflict with this particular >> alert - mail alerts seems to be working fine for other rules? >> >> I checked the mail.info for anything obvious, but couldn't see anything >> suspicious at a first glance... >> >> Best regards, >> Fredrik >> >> On Wednesday, February 24, 2016 at 7:54:43 AM UTC+1, Eero Volotinen wrote: >>> >>> Please check your mail server configuration? >>> >>> 2016-02-24 8:28 GMT+02:00 Fredrik <[email protected]>: >>> >>>> Thanks Santiago, please find more details below. >>>> >>>> Best regards, >>>> Fredrik >>>> >>>> Yes, I see the alert written to alerts.log (pulled the alert below out >>>> of the archive from yesterday) and email alerts are working for other >>>> rules. I also restarted ossec but to no avail. Strange! >>>> >>>> ossec-alerts-23.log.gz: >>>> Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr >>>> SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012- >>>> 1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/ >>>> 2013 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\ >>>> Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded >>>> >>>> ossec.conf: >>>> <alerts> >>>> <log_alert_level>1</log_alert_level> >>>> <email_alert_level>7</email_alert_level> >>>> </alerts> >>>> >>>> >>>> >>>> >>>> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett >>>> wrote: >>>>> >>>>> Did you say other alerts are triggering emails correctly? Everything >>>>> looks good to me, but here are some questions that might help >>>>> troubleshoot >>>>> the problem. >>>>> >>>>> Do you see the alert in alerts.log file? >>>>> Have you configured other global email settings? >>>>> What is your email_alerts_level? >>>>> >>>>> >>>>> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik <[email protected]> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> Another question for all you Ossec gurus. I have another rule set up >>>>>> to handle messages in a somewhat strange format (below). I would like >>>>>> this >>>>>> to ultimately trigger an email alert - which is working for other rules. >>>>>> >>>>>> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com >>>>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last >>>>>> detection time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\ >>>>>> AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >>>>>> Quarantine Succeeded >>>>>> >>>>>> I see that an alert is written to alerts.log, and ossec-logtest >>>>>> finished processing with **Alert to be generated. However, no email is >>>>>> sent? >>>>>> >>>>>> <group name="attack,virus"> >>>>>> <rule id="100130" level="12"> >>>>>> <decoded_as>MSSCEP</decoded_as> >>>>>> <options>alert_by_email</options> >>>>>> <description>SCEP malware alert</description> >>>>>> </rule> >>>>>> </group> >>>>>> >>>>>> As I wasn't sure how to best extract fields from the message above, >>>>>> the decoder simply matches on <program_name>, please feel free to >>>>>> suggest >>>>>> variants to decode the message and make use of the fields available in >>>>>> OSSEC. Perhaps my failure to do so, can have something to do with the >>>>>> missing email alert? >>>>>> >>>>>> <decoder name="MSSCEP"> >>>>>> <program_name>SCEP</program_name> >>>>>> <type>syslog</type> >>>>>> </decoder> >>>>>> >>>>>> >>>>>> Finally, output from ossec-logtest: >>>>>> >>>>>> **Phase 1: Completed pre-decoding. >>>>>> full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware >>>>>> alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of >>>>>> infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM >>>>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >>>>>> >>>>>> Quarantine Succeeded' >>>>>> hostname: 'ossec-srv' >>>>>> program_name: 'SCEP' >>>>>> log: 'Malware alert: client2.domain.com >>>>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection >>>>>> time(UTC time): 8/5/2013 10:42:41 AM >>>>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >>>>>> >>>>>> Quarantine Succeeded' >>>>>> >>>>>> **Phase 2: Completed decoding. >>>>>> decoder: 'MSSCEP' >>>>>> >>>>>> **Phase 3: Completed filtering (rules). >>>>>> Rule id: '100130' >>>>>> Level: '12' >>>>>> Description: 'SCEP malware alert' >>>>>> **Alert to be generated. >>>>>> >>>>>> Best regards, >>>>>> Fredrik >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
