On Fri, Feb 17, 2017 at 9:14 AM, Göran Lundberg <[email protected]> wrote: > It's working perfectly. Hope you can add it to the default rules for > mailscanner. The script is run four times a day. It's really annoying > getting 4 unnecessary emails per day. >
Removing 4 unnecessary emails/day from my inbox wouldn't make a dent! Thanks for reporting back, I'll submit a PR. > Thanks a lot for the help! > > Best regards > Göran Lundberg > > "dan (ddp)" <[email protected]> skrev: (15 februari 2017 22:17:23 CET) >> >> On Wed, Feb 15, 2017 at 4:08 PM, Göran Lundberg <[email protected]> >> wrote: >>> >>> This makes sense, thanks. Will try it. >>> >>> By the way, shouldn't this be in the default ossec ruleset for >>> mailscanner? >>> It's triggering on rule 1002 on the word 'bad'. But this isn't anything >>> bad. >>> It's confirming >>> that the cronjob that updates phishing database is completed. >>> >>> This is run on a default raspbian/debian installation with mailscanner >>> and >>> ossec from the official repository. Didn't install any extra packages or >>> configurations for mailscanner. >>> >>> Can anyone add this upstream to the mailscanner_rules.xml? If it is >>> confirmed to work that is. >> >> >> >> Test it out and let me know. If it works as intended I'll try to put it >> in. >> >>> -- >>> Best regards, >>> Göran Lundberg >>> >>> >>> 2017-02-15 21:05 skrev dan (ddp): >>>> >>>> >>>> On Tue, Feb 14, 2017 at 7:11 PM, <[email protected]> wrote: >>>>> >>>>> >>>>> Hi! I'm trying to remove these notifications from mailscanner. >>>>> >>>>> >>>>> OSSEC HIDS Notification. >>>>> 2017 Feb 14 06:29:41 >>>>> >>>>> Received From: hostname->/var/log/syslog >>>>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >>>>> system." >>>>> Portion of the log(s): >>>>> >>>>> Feb 14 06:29:39 hostname update.bad.phishing.sites: Phishing bad sites >>>>> list >>>>> updated >>>>> >>>>> >>>>> --END OF NOTIFICATION >>>>> >>>>> >>>>> I've tried to make a rule for it but it's not working. Any help is >>>>> appreciated! >>>>> >>>>> <rule id="3752" level="0"> >>>>> <if_sid>1002</if_sid> >>>>> <match>update.bad.phishing.sites: Phishing bad sites list >>>>> updated</match> >>>> >>>> >>>> >>>> As you can see below, "update.bad.phishing.sites" is decoded as the >>>> program name: >>>> **Phase 1: Completed pre-decoding. >>>> full event: 'Feb 14 06:29:39 hostname >>>> update.bad.phishing.sites: Phishing bad sites list updated' >>>> hostname: 'hostname' >>>> program_name: 'update.bad.phishing.sites' >>>> log: 'Phishing bad sites list updated' >>>> >>>> **Phase 2: Completed decoding. >>>> No decoder matched. >>>> >>>> **Phase 3: Completed filtering (rules). >>>> Rule id: '1002' >>>> Level: '2' >>>> Description: 'Unknown problem somewhere in the system.' >>>> **Alert to be generated. >>>> >>>> Using the rule: >>>> <rule id="100067" level="0"> >>>> <if_sid>1002</if_sid> >>>> <program_name>update.bad.phishing.sites</program_name> >>>> <match>^Phishing bad sites list updated</match> >>>> <description>ignore</description> >>>> </rule> >>>> >>>> Gives me the following output: >>>> **Phase 1: Completed pre-decoding. >>>> full event: 'Feb 14 06:29:39 hostname >>>> update.bad.phishing.sites: Phishing bad sites list updated' >>>> hostname: 'hostname' >>>> program_name: 'update.bad.phishing.sites' >>>> log: 'Phishing bad sites list updated' >>>> >>>> **Phase 2: Completed decoding. >>>> No decoder matched. >>>> >>>> **Phase 3: Completed filtering (rules). >>>> Rule id: '100067' >>>> Level: '0' >>>> Description: 'ignore' >>>> >>>> >>>> >>>>> <description>Ignore mailscanner update messages.</description> >>>>> </rule> >>>>> >>>>> -- >>>>> Göran Lundberg >>>>> -- >>>>> This message has been scanned for viruses and >>>>> dangerous content by MailScanner, and is >>>>> believed to be clean. >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups >>>>> "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an >>>>> email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> -- >>> >>> --- You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
