Hi All!
Did some more testing earlier this afternoon and actually got the email to be sent. I removed the alert_by_email option and just let the rule fire by its level=12 classification. Restarted the ossec service, which I had done in the past multiple times. I will circle back to this one, but will move on and work on all the other decoder/rules that I'm hoping to be able to piece together. Thanks again for your help on this! Best regards, Fredrik On Wednesday, February 24, 2016 at 7:28:05 AM UTC+1, Fredrik wrote: > > Thanks Santiago, please find more details below. > > Best regards, > Fredrik > > Yes, I see the alert written to alerts.log (pulled the alert below out of > the archive from yesterday) and email alerts are working for other rules. I > also restarted ossec but to no avail. Strange! > > ossec-alerts-23.log.gz: > Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr > SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar > Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 > AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\ > 748789-14f29c54 Quarantine Succeeded > > ossec.conf: > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>7</email_alert_level> > </alerts> > > > > > On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett > wrote: >> >> Did you say other alerts are triggering emails correctly? Everything >> looks good to me, but here are some questions that might help troubleshoot >> the problem. >> >> Do you see the alert in alerts.log file? >> Have you configured other global email settings? >> What is your email_alerts_level? >> >> >> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik <[email protected]> wrote: >> >>> Hi All, >>> >>> Another question for all you Ossec gurus. I have another rule set up to >>> handle messages in a somewhat strange format (below). I would like this to >>> ultimately trigger an email alert - which is working for other rules. >>> >>> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com >>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection >>> time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\ >>> LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine >>> Succeeded >>> >>> I see that an alert is written to alerts.log, and ossec-logtest finished >>> processing with **Alert to be generated. However, no email is sent? >>> >>> <group name="attack,virus"> >>> <rule id="100130" level="12"> >>> <decoded_as>MSSCEP</decoded_as> >>> <options>alert_by_email</options> >>> <description>SCEP malware alert</description> >>> </rule> >>> </group> >>> >>> As I wasn't sure how to best extract fields from the message above, the >>> decoder simply matches on <program_name>, please feel free to suggest >>> variants to decode the message and make use of the fields available in >>> OSSEC. Perhaps my failure to do so, can have something to do with the >>> missing email alert? >>> >>> <decoder name="MSSCEP"> >>> <program_name>SCEP</program_name> >>> <type>syslog</type> >>> </decoder> >>> >>> >>> Finally, output from ossec-logtest: >>> >>> **Phase 1: Completed pre-decoding. >>> full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware >>> alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of >>> infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM >>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >>> >>> Quarantine Succeeded' >>> hostname: 'ossec-srv' >>> program_name: 'SCEP' >>> log: 'Malware alert: client2.domain.com >>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection >>> time(UTC time): 8/5/2013 10:42:41 AM >>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >>> >>> Quarantine Succeeded' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'MSSCEP' >>> >>> **Phase 3: Completed filtering (rules). >>> Rule id: '100130' >>> Level: '12' >>> Description: 'SCEP malware alert' >>> **Alert to be generated. >>> >>> Best regards, >>> Fredrik >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
