Ignore Rules/Stop Email Alerts
748 views
Skip to first unread message
Steve W
May 25, 2012, 4:14:51 AM5/25/12
to ossec-list
Hi There,
My name is Steve W. Currently I have OSSEC 2.6 running on our web &
email server, as a local instance. I have my settings to only receive
email alerts with a level/score or 7 or higher. Ever since the
installation, I have been getting many of the following alerts to my
email, and some of them are less that 7, and I am still getting email
alerts. I have tried creating ignore rules, and yet they continue to
come. But now I have realized that I don't want it to completely
ignore the rule, I would like it to log the alerts, just not send me
an email alert about it. Below are the email alerts I am getting.
Rule: 3353 fired (level 10) -> "Multiple attempts to send e-mail from
invalid/unknown sender domain."
Apr 26 08:25:57 ccgr postfix/smtpd[9191]: NOQUEUE: reject: RCPT from
unknown[118.126.1.112]: 450 4.7.1 Client host rejected: cannot find
your hostname, [118.126.1.112]; from=<sa...@geisnic.com>
to=<ser...@server.org> proto=ESMTP helo=<okmail.v01.cn>
**Since this is a level 10, I would like to have an alert sent to the
logs, but not email me about it because there are hundreds of these
alerts each day.**
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Integrity checksum changed for: '/etc/init.d/.depend.stop'
Size changed from '1288' to '1352'
Old md5sum was: '9a2f9ffa43ebf20abd96b94663b868ef'
New md5sum is : 'a7baf0eb4beb852af4f07f4ce4e67f5f'
Old sha1sum was: '7ae0416e7efcfaf0a6a2d725c223deebcf46f48f'
New sha1sum is : 'f56dcbc8c79c47c1d4ff11cbed81605a216114ba'
**This is a level 7 rule, so it also should be emailed to me. Lately
there are a lot of these alerts flooding my inbox, and I would like to
just save the alert to log (log the alert), but not email me.**
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
system."
May 24 06:25:10 ccgr /USR/SBIN/CRON[19055]: (CRON) error (grandchild
#19056 failed with exit status 1)
**This is one of the many level 2 alerts I have been getting, and it
it still sending me these alerts to my email, even though I have it
set to only email me with alerts with a level 7 or higher.**
**Here is an example of the rules I have been trying to create, but
are not working. Any help would be greatly appreciated.**
<rule id="100501" level="2">
<if_sid>1002</if_sid>
<options>no_email_alert</options>
<description>Ignoring rule 1002.</description>
</rule>
<rule_id="100502" level="10">
<if_sid>3353,3357</if_sid>
<options>no_email_alert</options>
<program_name>postfix/smtpd</program_name>
<description>Multiple attempts to send e-mail from invalid/unknown
sender domain.</description>
</rule>
<rule_id="100504" level="7">
<if_sid>550,551,552,2902</id_sid>
<options>no_email_alert</options>
<match>Integrity checksum changed</match>
<description>New packages installed, and checksum changes</
description>
</rule>
Thank You
Steve Wieczorek
St...@typhoontech.net
My name is Steve W. Currently I have OSSEC 2.6 running on our web &
email server, as a local instance. I have my settings to only receive
email alerts with a level/score or 7 or higher. Ever since the
installation, I have been getting many of the following alerts to my
email, and some of them are less that 7, and I am still getting email
alerts. I have tried creating ignore rules, and yet they continue to
come. But now I have realized that I don't want it to completely
ignore the rule, I would like it to log the alerts, just not send me
an email alert about it. Below are the email alerts I am getting.
Rule: 3353 fired (level 10) -> "Multiple attempts to send e-mail from
invalid/unknown sender domain."
Apr 26 08:25:57 ccgr postfix/smtpd[9191]: NOQUEUE: reject: RCPT from
unknown[118.126.1.112]: 450 4.7.1 Client host rejected: cannot find
your hostname, [118.126.1.112]; from=<sa...@geisnic.com>
to=<ser...@server.org> proto=ESMTP helo=<okmail.v01.cn>
**Since this is a level 10, I would like to have an alert sent to the
logs, but not email me about it because there are hundreds of these
alerts each day.**
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Integrity checksum changed for: '/etc/init.d/.depend.stop'
Size changed from '1288' to '1352'
Old md5sum was: '9a2f9ffa43ebf20abd96b94663b868ef'
New md5sum is : 'a7baf0eb4beb852af4f07f4ce4e67f5f'
Old sha1sum was: '7ae0416e7efcfaf0a6a2d725c223deebcf46f48f'
New sha1sum is : 'f56dcbc8c79c47c1d4ff11cbed81605a216114ba'
**This is a level 7 rule, so it also should be emailed to me. Lately
there are a lot of these alerts flooding my inbox, and I would like to
just save the alert to log (log the alert), but not email me.**
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
system."
May 24 06:25:10 ccgr /USR/SBIN/CRON[19055]: (CRON) error (grandchild
#19056 failed with exit status 1)
**This is one of the many level 2 alerts I have been getting, and it
it still sending me these alerts to my email, even though I have it
set to only email me with alerts with a level 7 or higher.**
**Here is an example of the rules I have been trying to create, but
are not working. Any help would be greatly appreciated.**
<rule id="100501" level="2">
<if_sid>1002</if_sid>
<options>no_email_alert</options>
<description>Ignoring rule 1002.</description>
</rule>
<rule_id="100502" level="10">
<if_sid>3353,3357</if_sid>
<options>no_email_alert</options>
<program_name>postfix/smtpd</program_name>
<description>Multiple attempts to send e-mail from invalid/unknown
sender domain.</description>
</rule>
<rule_id="100504" level="7">
<if_sid>550,551,552,2902</id_sid>
<options>no_email_alert</options>
<match>Integrity checksum changed</match>
<description>New packages installed, and checksum changes</
description>
</rule>
Thank You
Steve Wieczorek
St...@typhoontech.net
dan (ddp)
May 25, 2012, 6:48:36 AM5/25/12
to ossec...@googlegroups.com
dan (ddp)
May 25, 2012, 9:14:59 AM5/25/12
to ossec...@googlegroups.com
1002 is a good rule to have.
>
> <rule_id="100502" level="10">
> <if_sid>3353,3357</if_sid>
> <options>no_email_alert</options>
> <program_name>postfix/smtpd</program_name>
> <description>Multiple attempts to send e-mail from invalid/unknown
> sender domain.</description>
> </rule>
>
level to below 7 (and above your minimum log level). Aldo, you
probably don't need both the <program_name> and the <if_sid>.
>
> <rule_id="100504" level="7">
> <if_sid>550,551,552,2902</id_sid>
> <options>no_email_alert</options>
> <match>Integrity checksum changed</match>
> <description>New packages installed, and checksum changes</
> description>
> </rule>
>
You probably don't need the generic <match> when you have the sids
there.
Remember to use ossec-logtest to test your changes. You'll generally
have to tweak all but the simplest of rules, I know I do.
Steve W
May 26, 2012, 3:10:40 PM5/26/12
to ossec-list
Hey man, I really appreciate your help here. I understand what you
mean by not ignoring 1002 (Unknown problem somewhere in the system).
Makes sense, I appreciate the advice on that. Ok, my only other
remaining issues are for the following alerts: 550 (integrity checksum
changed.) You would think I want to see alerts like this, but there
just so many coming in. 551 (Integrity checksum changed again (2nd
time). I get a bunch of these also. 552 (integrity checksum changed
again (3rd time). I think I would like to do this, but can't figure
out how. I don't want to emails alerting me that a checksum has
changed 1st (550), and 2nd (551) time. But, if a checksum has changed
on a file for a third time, then send me an email. So can I tell it to
**log only** rules 551 & 552? But if a file has changed for a third
time, then send me an email alert. I want the first & second attempts
to be logged for sure, but no email alerts. My alert threshold to get
email alerts, the rule has to be at least a 7 or higher. Any thoughts
on this? I have tried putting a rule in my local_rules.xml, but still
get email alerts. Is there something the way I am writing the rule/s?
<rule id="100200" level="7">
<if_sid>550,551,</if_sid>
<description>Integrity checksum has changed again</description>
</rule>
Do you see a problem with this?
The last alert I am having trouble with are 3353 (Multiple attempts
to send e-mail from invalid/unknown sender domain). I want this, like
the previous rule. Except to no get any emails, just log all the
alerts. 3353 fires as a level 10. Here is the rule I created, but
doesn't seem to work. Any thoughts?
<rule id="100300" level="10">
<if_sid>3353,</if_sid>
<description>Multiple attempts to send e-mail from invalid/unknown
sender domain</description>
</rule>
Does that look correct, or are there things I should/need to change?
Again, I appreciate your response, and thank you in advance for any
input or advice you might be able to give me. Thanks buddy.
Steve W
On May 25, 8:14 am, "dan (ddp)" <ddp...@gmail.com> wrote:
> On Fri, May 25, 2012 at 4:14 AM, Steve W <steve3...@gmail.com> wrote:
> > Hi There,
>
> > My name is Steve W. Currently I have OSSEC 2.6 running on our web &
> >emailserver, as a local instance. I have my settings to only receive
> > Hi There,
>
> > My name is Steve W. Currently I have OSSEC 2.6 running on our web &
> >emailalerts with a level/score or 7 or higher. Ever since the
> > installation, I have been getting many of the following alerts to my
> >email, and some of them are less that 7, and I am still gettingemail
> > alerts. I have tried creating ignore rules, and yet they continue to
> > come.Butnow I have realized that I don't want it to completely
> >email, and some of them are less that 7, and I am still gettingemail
> > alerts. I have tried creating ignore rules, and yet they continue to
> > ignore the rule, I would like it tologthe alerts, justnotsend me
> > anemailalertabout it. Below are theemailalerts I am getting.
>
> > Rule: 3353 fired (level 10) -> "Multiple attempts to send e-mail from
> > invalid/unknown sender domain."
> > Apr 26 08:25:57 ccgr postfix/smtpd[9191]: NOQUEUE: reject: RCPT from
> > unknown[118.126.1.112]: 450 4.7.1 Client host rejected: cannot find
> > your hostname, [118.126.1.112]; from=<sa...@geisnic.com>
> > to=<ser...@server.org> proto=ESMTP helo=<okmail.v01.cn>
>
> > **Since this is a level 10, I would like to have analertsent to the
> > logs,butnotemailme about it because there are hundreds of these
> > Rule: 3353 fired (level 10) -> "Multiple attempts to send e-mail from
> > invalid/unknown sender domain."
> > Apr 26 08:25:57 ccgr postfix/smtpd[9191]: NOQUEUE: reject: RCPT from
> > unknown[118.126.1.112]: 450 4.7.1 Client host rejected: cannot find
> > your hostname, [118.126.1.112]; from=<sa...@geisnic.com>
> > to=<ser...@server.org> proto=ESMTP helo=<okmail.v01.cn>
>
> > **Since this is a level 10, I would like to have analertsent to the
> > alerts each day.**
>
> > Rule: 550 fired (level 7) -> "Integrity checksum changed."
> > Integrity checksum changed for: '/etc/init.d/.depend.stop'
> > Size changed from '1288' to '1352'
> > Old md5sum was: '9a2f9ffa43ebf20abd96b94663b868ef'
> > New md5sum is : 'a7baf0eb4beb852af4f07f4ce4e67f5f'
> > Old sha1sum was: '7ae0416e7efcfaf0a6a2d725c223deebcf46f48f'
> > New sha1sum is : 'f56dcbc8c79c47c1d4ff11cbed81605a216114ba'
>
> > **This is a level 7 rule, so it also should be emailed to me. Lately
> > there are a lot of these alerts flooding my inbox, and I would like to
> > just save thealerttolog(logthealert),butnotemailme.**
>
> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
> > system."
> > May 24 06:25:10 ccgr /USR/SBIN/CRON[19055]: (CRON) error (grandchild
> > #19056 failed with exit status 1)
>
> > **This is one of the many level 2 alerts I have been getting, and it
> > it still sending me these alerts to myemail, even though I have it
>
> > Rule: 550 fired (level 7) -> "Integrity checksum changed."
> > Integrity checksum changed for: '/etc/init.d/.depend.stop'
> > Size changed from '1288' to '1352'
> > Old md5sum was: '9a2f9ffa43ebf20abd96b94663b868ef'
> > New md5sum is : 'a7baf0eb4beb852af4f07f4ce4e67f5f'
> > Old sha1sum was: '7ae0416e7efcfaf0a6a2d725c223deebcf46f48f'
> > New sha1sum is : 'f56dcbc8c79c47c1d4ff11cbed81605a216114ba'
>
> > **This is a level 7 rule, so it also should be emailed to me. Lately
> > there are a lot of these alerts flooding my inbox, and I would like to
> > just save thealerttolog(logthealert),butnotemailme.**
>
> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
> > system."
> > May 24 06:25:10 ccgr /USR/SBIN/CRON[19055]: (CRON) error (grandchild
> > #19056 failed with exit status 1)
>
> > **This is one of the many level 2 alerts I have been getting, and it
> > set to onlyemailme with alerts with a level 7 or higher.**
>
> > **Here is an example of the rules I have been trying to create,but
> > arenotworking. Any help would be greatly appreciated.**
> > **Here is an example of the rules I have been trying to create,but
>
> > <rule id="100501" level="2">
> > <if_sid>1002</if_sid>
> > <options>no_email_alert</options>
> > <description>Ignoring rule 1002.</description>
> > </rule>
>
> Don't do this. Create rules for thelogmessages 1002 is triggered by.
> > <rule id="100501" level="2">
> > <if_sid>1002</if_sid>
> > <options>no_email_alert</options>
> > <description>Ignoring rule 1002.</description>
> > </rule>
>
> 1002 is a good rule to have.
>
>
>
> > <rule_id="100502" level="10">
> > <if_sid>3353,3357</if_sid>
> > <options>no_email_alert</options>
> > <program_name>postfix/smtpd</program_name>
> > <description>Multiple attempts to send e-mail from invalid/unknown
> > sender domain.</description>
> > </rule>
>
> Instead of using the no_email_alert option, try just lowering the
> level to below 7 (and above your minimumloglevel). Aldo, you
>
>
>
> > <rule_id="100502" level="10">
> > <if_sid>3353,3357</if_sid>
> > <options>no_email_alert</options>
> > <program_name>postfix/smtpd</program_name>
> > <description>Multiple attempts to send e-mail from invalid/unknown
> > sender domain.</description>
> > </rule>
>
> Instead of using the no_email_alert option, try just lowering the
> probably don't need both the <program_name> and the <if_sid>.
>
>
>
> > <rule_id="100504" level="7">
> > <if_sid>550,551,552,2902</id_sid>
> > <options>no_email_alert</options>
> > <match>Integrity checksum changed</match>
> > <description>New packages installed, and checksum changes</
> > description>
> > </rule>
>
> Again, try with a lower level and without the no_email_alert option.
> You probably don't need the generic <match> when you have the sids
> there.
>
>
>
> > Thank You
>
> > Steve Wieczorek
> > St...@typhoontech.net
>
> Remember to use ossec-logtest to test your changes. You'll generally
> have to tweak allbutthe simplest of rules, I know I do.>
>
>
> > <rule_id="100504" level="7">
> > <if_sid>550,551,552,2902</id_sid>
> > <options>no_email_alert</options>
> > <match>Integrity checksum changed</match>
> > <description>New packages installed, and checksum changes</
> > description>
> > </rule>
>
> Again, try with a lower level and without the no_email_alert option.
> You probably don't need the generic <match> when you have the sids
> there.
>
>
>
> > Thank You
>
> > Steve Wieczorek
> > St...@typhoontech.net
>
> Remember to use ossec-logtest to test your changes. You'll generally
dan (ddp)
May 28, 2012, 8:25:40 AM5/28/12
to ossec...@googlegroups.com
On Sat, May 26, 2012 at 3:10 PM, Steve W <stev...@gmail.com> wrote:
>
>
>
>
> Hey man, I really appreciate your help here. I understand what you
> mean by not ignoring 1002 (Unknown problem somewhere in the system).
> Makes sense, I appreciate the advice on that. Ok, my only other
> remaining issues are for the following alerts: 550 (integrity checksum
> changed.) You would think I want to see alerts like this, but there
> just so many coming in. 551 (Integrity checksum changed again (2nd
> time). I get a bunch of these also. 552 (integrity checksum changed
> again (3rd time). I think I would like to do this, but can't figure
> out how. I don't want to emails alerting me that a checksum has
> changed 1st (550), and 2nd (551) time. But, if a checksum has changed
> on a file for a third time, then send me an email. So can I tell it to
> **log only** rules 551 & 552? But if a file has changed for a third
> time, then send me an email alert. I want the first & second attempts
> to be logged for sure, but no email alerts. My alert threshold to get
> email alerts, the rule has to be at least a 7 or higher. Any thoughts
> on this? I have tried putting a rule in my local_rules.xml, but still
> get email alerts. Is there something the way I am writing the rule/s?
>
> <rule id="100200" level="7">
If you don't want to see emails on sids 550/551, and you're emailing
>
>
>
>
> Hey man, I really appreciate your help here. I understand what you
> mean by not ignoring 1002 (Unknown problem somewhere in the system).
> Makes sense, I appreciate the advice on that. Ok, my only other
> remaining issues are for the following alerts: 550 (integrity checksum
> changed.) You would think I want to see alerts like this, but there
> just so many coming in. 551 (Integrity checksum changed again (2nd
> time). I get a bunch of these also. 552 (integrity checksum changed
> again (3rd time). I think I would like to do this, but can't figure
> out how. I don't want to emails alerting me that a checksum has
> changed 1st (550), and 2nd (551) time. But, if a checksum has changed
> on a file for a third time, then send me an email. So can I tell it to
> **log only** rules 551 & 552? But if a file has changed for a third
> time, then send me an email alert. I want the first & second attempts
> to be logged for sure, but no email alerts. My alert threshold to get
> email alerts, the rule has to be at least a 7 or higher. Any thoughts
> on this? I have tried putting a rule in my local_rules.xml, but still
> get email alerts. Is there something the way I am writing the rule/s?
>
> <rule id="100200" level="7">
all alerts level 7 or greater, why did you set this to level 7?
> <if_sid>550,551,</if_sid>
> <description>Integrity checksum has changed again</description>
> </rule>
>
> Do you see a problem with this?
>
> The last alert I am having trouble with are 3353 (Multiple attempts
> to send e-mail from invalid/unknown sender domain). I want this, like
> the previous rule. Except to no get any emails, just log all the
> alerts. 3353 fires as a level 10. Here is the rule I created, but
> doesn't seem to work. Any thoughts?
>
> <rule id="100300" level="10">
dan (ddp)
Jun 27, 2012, 8:38:25 AM6/27/12
to ossec...@googlegroups.com
On Wed, Jun 27, 2012 at 1:04 AM, Steve W <stev...@gmail.com> wrote:
>
> Hey Dan,
>
> I appreciate your help with some of these rules & such. If I could ever get
> a chance to talk with you via chat or something, I would appreciate it.
> There are things that are hard to explain here, and would be easier to talk
> about it. If you wouldn't mind sending me an email with any contact info,
> I'd appreciate it. My email address is St...@typhoontech.net
>
> Thanks
>
> Steve
>
There are several of us on IRC at various times of the day. #ossec on freenode
>
> Hey Dan,
>
> I appreciate your help with some of these rules & such. If I could ever get
> a chance to talk with you via chat or something, I would appreciate it.
> There are things that are hard to explain here, and would be easier to talk
> about it. If you wouldn't mind sending me an email with any contact info,
> I'd appreciate it. My email address is St...@typhoontech.net
>
> Thanks
>
> Steve
>
There are several of us on IRC at various times of the day. #ossec on freenode
Reply all
Reply to author
Forward
0 new messages