On Sat, Mar 25, 2017 at 6:32 PM, Justin Redman <redman7...@gmail.com> wrote: > I'm receiving generic level 2 rule 1002 "Unknown problem somewhere in the > system" alerts. It is opendkim reporting "bad signature data" in syslog when > receiving email from some domains. Unfortunately not everyone seems to be > on the opendkim train as I get these alerts when I receive email from > blizzard.com among other legitimate domains. > > So my question is do I really need to make a custom decoder, or would a rule > be enough, and can this rule go into local_rules.xml? >
You only need a decoder if there is information in the logs you want to use for active response or rules. If you just want something to ignore those logs, you do not need a decoder. And local_rules.xml is the right place to put the custom rule. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.