On Fri, Mar 25, 2016 at 4:17 PM, theresa mic-snare
<[email protected]> wrote:
> Hi,
>
> i'm trying to write my first rules, by extending the existing postfix rules.
>
> here's what i'm trying to test:
> <rule id="3307" level="6">
> <if_sid>3300</if_sid>
> <match>RBL lookup error:</match>
> <description>Host or domain name not found. Name service
> error</description>
> <group>spam,</group>
> </rule>
>
> along with the log entry that i'm trying to test
> warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name
> not found. Name service error for name=199.249.24.179.list.dsbl.org type=A:
> Host not found, try again
>
This log message, by itself, does not decode to a postfix log message:
ossec-testrule: Type one log per line.
warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host or
domain name not found. Name service error for
name=199.249.24.179.list.dsbl.org type=A: Host not found, try again
**Phase 1: Completed pre-decoding.
full event: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup
error: Host or domain name not found. Name service error for
name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
hostname: 'ix'
program_name: '(null)'
log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error:
Host or domain name not found. Name service error for
name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
**Phase 2: Completed decoding.
No decoder matched.
Adding a random postfix + syslog header onto it helps:
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'Mar 27 13:00:01 ix postfix/smtpd[2222]: warning:
199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name
not found. Name service error for name=199.249.24.179.list.dsbl.org
type=A: Host not found, try again'
hostname: 'ix'
program_name: 'postfix/smtpd'
log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error:
Host or domain name not found. Name service error for
name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
**Phase 2: Completed decoding.
decoder: 'postfix'
**Phase 3: Completed filtering (rules).
Rule id: '3320'
Level: '0'
Description: 'Grouping of the postfix rules.'
But I'm not sure if your log sample is missing some bits or what.
> the rule is not firing, instead ossec-logtest is marking it as a "Level 2"
> alert "Unknown problem somewhere in the system."
>
> what am I doing wrong here?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
