On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng <[email protected]> wrote: > Hi, could you give me an example of using tcpdump in this case? >
tcpdump -nnXxevvs 0 port 25 > cheers > > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) wrote: >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng <[email protected]> wrote: >> > Hi, since it is a fresh install of ossec, so I didn't get any emails. >> > The >> > notification is turn on as >> > >> >> Try using tcpdump (looking for connections to the email server from >> the OSSEC system) >> or check the maillogs on the email server to determine if there is an >> error when sending. >> >> > <alert_new_files>yes</alert_new_files> >> > >> > in ossec.conf >> > >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) wrote: >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng <[email protected]> >> >> wrote: >> >> > Hi, I installed ossec local on my cloud server, and configure >> >> > ossec.conf >> >> > as >> >> > follows, I tried to detect new additions using >> >> > <alert_new_files>yes</alert_new_files>. >> >> > >> >> > <global> >> >> > <email_notification>yes</email_notification> >> >> > <email_to>[email protected]</email_to> >> >> > <smtp_server>ns0.bt.net.</smtp_server> >> >> > <email_from>[email protected]</email_from> >> >> > </global> >> >> > <syscheck> >> >> > <!-- Frequency that syscheck is executed - default to every 22 >> >> > hours >> >> > --> >> >> > <frequency>79200</frequency> >> >> > <alert_new_files>yes</alert_new_files> >> >> > >> >> > <!-- Directories to check (perform all possible verifications) >> >> > --> >> >> > <directories report_changes="yes" realtime="yes" >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> >> > <directories report_changes="yes" realtime="yes" >> >> > check_all="yes">/bin,/sbin</directories> >> >> > <directories report_changes="yes" realtime="yes" >> >> > check_all="yes">/home/user_name</directories> >> >> > </syscheck> >> >> > >> >> > The local_rules.xml is like, >> >> > >> >> > <group name="local,syslog,"> >> >> > >> >> > <!-- Note that rule id 5711 is defined at the ssh_rules file >> >> > - as a ssh failed login. This is just an example >> >> > - since ip 1.1.1.1 shouldn't be used anywhere. >> >> > - Level 0 means ignore. >> >> > --> >> >> > <rule id="100001" level="0"> >> >> > <if_sid>5711</if_sid> >> >> > <srcip>1.1.1.1</srcip> >> >> > <description>Example of rule that will ignore sshd >> >> > </description> >> >> > <description>failed logins from IP 1.1.1.1.</description> >> >> > </rule> >> >> > >> >> > <rule id="554" level="7" overwrite="yes"> >> >> > <category>ossec</category> >> >> > <decoded_as>syscheck_new_entry</decoded_as> >> >> > <description>File added to the system.</description> >> >> > <group>syscheck,</group> >> >> > </rule> >> >> > </group> <!-- SYSLOG,LOCAL --> >> >> > >> >> > Now, if I added a file in home/user_name, there is no email >> >> > notification >> >> > coming through the SMTP server. I am using smtp.bt.net, using >> >> > >> >> > dig -t mx smtp.bt.net >> >> > >> >> > >> >> > to get the SMTP server. Whats the possible reasons that I am not >> >> > getting >> >> > the >> >> > email? >> >> > >> >> >> >> Are you getting emails for other alerts? >> >> Are alerts being triggered for these new files? >> >> >> >> > Many thanks >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
