Hi Eero! Thanks again. I will read up on mail configurations for OSSEC to make sure I have incorporated the requirements in my setup - any pointer to a good resource? Will start with the online docs and books I have on topic :)
You don't have any other tips on what could be worth investigating, given that email_alerts seems is working for other rules? Best regards, Fredrik On Wednesday, February 24, 2016 at 8:48:41 AM UTC+1, Eero Volotinen wrote: > > You should also point your ossec mail configuration to local smtp > instance. > > -- > Eero > > 2016-02-24 9:34 GMT+02:00 Fredrik <[email protected] <javascript:>>: > >> Thanks Eero! >> >> Yes, this works in my setup :) Tried it to make sure. Sendmail is >> installed on this particular box, so changed mail into sendmail and fired >> away :) >> >> Best regards, >> Fredrik >> >> On Wednesday, February 24, 2016 at 8:12:41 AM UTC+1, Eero Volotinen wrote: >>> >>> is this working on your ossec server: >>> >>> echo foo | mail youremail@yourdomain -s 'test' >>> >>> could you give example of your mail configuration? >>> >>> Eero >>> >>> 2016-02-24 9:00 GMT+02:00 Fredrik <[email protected]>: >>> >>>> Thanks Eero! >>>> >>>> Anything specific to look for that could conflict with this particular >>>> alert - mail alerts seems to be working fine for other rules? >>>> >>>> I checked the mail.info for anything obvious, but couldn't see >>>> anything suspicious at a first glance... >>>> >>>> Best regards, >>>> Fredrik >>>> >>>> On Wednesday, February 24, 2016 at 7:54:43 AM UTC+1, Eero Volotinen >>>> wrote: >>>>> >>>>> Please check your mail server configuration? >>>>> >>>>> 2016-02-24 8:28 GMT+02:00 Fredrik <[email protected]>: >>>>> >>>>>> Thanks Santiago, please find more details below. >>>>>> >>>>>> Best regards, >>>>>> Fredrik >>>>>> >>>>>> Yes, I see the alert written to alerts.log (pulled the alert below >>>>>> out of the archive from yesterday) and email alerts are working for >>>>>> other >>>>>> rules. I also restarted ossec but to no avail. Strange! >>>>>> >>>>>> ossec-alerts-23.log.gz: >>>>>> Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec >>>>>> -svr SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE- >>>>>> 2012-1723!jar Number of infections: 1 Last detection time(UTC time): >>>>>> 8/5/2013 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\ >>>>>> Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded >>>>>> >>>>>> ossec.conf: >>>>>> <alerts> >>>>>> <log_alert_level>1</log_alert_level> >>>>>> <email_alert_level>7</email_alert_level> >>>>>> </alerts> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett >>>>>> wrote: >>>>>>> >>>>>>> Did you say other alerts are triggering emails correctly? Everything >>>>>>> looks good to me, but here are some questions that might help >>>>>>> troubleshoot >>>>>>> the problem. >>>>>>> >>>>>>> Do you see the alert in alerts.log file? >>>>>>> Have you configured other global email settings? >>>>>>> What is your email_alerts_level? >>>>>>> >>>>>>> >>>>>>> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi All, >>>>>>>> >>>>>>>> Another question for all you Ossec gurus. I have another rule set >>>>>>>> up to handle messages in a somewhat strange format (below). I would >>>>>>>> like >>>>>>>> this to ultimately trigger an email alert - which is working for other >>>>>>>> rules. >>>>>>>> >>>>>>>> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2. >>>>>>>> domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 1 >>>>>>>> Last detection time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\ >>>>>>>> user1\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789- >>>>>>>> 14f29c54 Quarantine Succeeded >>>>>>>> >>>>>>>> I see that an alert is written to alerts.log, and ossec-logtest >>>>>>>> finished processing with **Alert to be generated. However, no email is >>>>>>>> sent? >>>>>>>> >>>>>>>> <group name="attack,virus"> >>>>>>>> <rule id="100130" level="12"> >>>>>>>> <decoded_as>MSSCEP</decoded_as> >>>>>>>> <options>alert_by_email</options> >>>>>>>> <description>SCEP malware alert</description> >>>>>>>> </rule> >>>>>>>> </group> >>>>>>>> >>>>>>>> As I wasn't sure how to best extract fields from the message above, >>>>>>>> the decoder simply matches on <program_name>, please feel free to >>>>>>>> suggest >>>>>>>> variants to decode the message and make use of the fields available in >>>>>>>> OSSEC. Perhaps my failure to do so, can have something to do with the >>>>>>>> missing email alert? >>>>>>>> >>>>>>>> <decoder name="MSSCEP"> >>>>>>>> <program_name>SCEP</program_name> >>>>>>>> <type>syslog</type> >>>>>>>> </decoder> >>>>>>>> >>>>>>>> >>>>>>>> Finally, output from ossec-logtest: >>>>>>>> >>>>>>>> **Phase 1: Completed pre-decoding. >>>>>>>> full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware >>>>>>>> alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of >>>>>>>> infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM >>>>>>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >>>>>>>> >>>>>>>> Quarantine Succeeded' >>>>>>>> hostname: 'ossec-srv' >>>>>>>> program_name: 'SCEP' >>>>>>>> log: 'Malware alert: client2.domain.com >>>>>>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection >>>>>>>> time(UTC time): 8/5/2013 10:42:41 AM >>>>>>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >>>>>>>> >>>>>>>> Quarantine Succeeded' >>>>>>>> >>>>>>>> **Phase 2: Completed decoding. >>>>>>>> decoder: 'MSSCEP' >>>>>>>> >>>>>>>> **Phase 3: Completed filtering (rules). >>>>>>>> Rule id: '100130' >>>>>>>> Level: '12' >>>>>>>> Description: 'SCEP malware alert' >>>>>>>> **Alert to be generated. >>>>>>>> >>>>>>>> Best regards, >>>>>>>> Fredrik >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "ossec-list" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>> >>>>>>> >>>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
