On Tue, Feb 14, 2017 at 7:11 PM, <[email protected]> wrote:
> Hi! I'm trying to remove these notifications from mailscanner.
>
>
> OSSEC HIDS Notification.
> 2017 Feb 14 06:29:41
>
> Received From: hostname->/var/log/syslog
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Feb 14 06:29:39 hostname update.bad.phishing.sites: Phishing bad sites list
> updated
>
>
> --END OF NOTIFICATION
>
>
> I've tried to make a rule for it but it's not working. Any help is
> appreciated!
>
> <rule id="3752" level="0">
> <if_sid>1002</if_sid>
> <match>update.bad.phishing.sites: Phishing bad sites list updated</match>
As you can see below, "update.bad.phishing.sites" is decoded as the
program name:
**Phase 1: Completed pre-decoding.
full event: 'Feb 14 06:29:39 hostname
update.bad.phishing.sites: Phishing bad sites list updated'
hostname: 'hostname'
program_name: 'update.bad.phishing.sites'
log: 'Phishing bad sites list updated'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
Using the rule:
<rule id="100067" level="0">
<if_sid>1002</if_sid>
<program_name>update.bad.phishing.sites</program_name>
<match>^Phishing bad sites list updated</match>
<description>ignore</description>
</rule>
Gives me the following output:
**Phase 1: Completed pre-decoding.
full event: 'Feb 14 06:29:39 hostname
update.bad.phishing.sites: Phishing bad sites list updated'
hostname: 'hostname'
program_name: 'update.bad.phishing.sites'
log: 'Phishing bad sites list updated'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '100067'
Level: '0'
Description: 'ignore'
> <description>Ignore mailscanner update messages.</description>
> </rule>
>
> --
> Göran Lundberg
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
