[ossec-dev] [Bug 31] New: Level in the e-mail alerts are confusing

[ossec-bugzilla@xxxxxxxxxxxxxxxxxxxxxx]

http://www.ossec.net/bugs/show_bug.cgi?id=31

           Summary: Level in the e-mail alerts are confusing
           Product: OSSEC
           Version: 0.9-3
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P3
         Component: ossec core
        AssignedTo: ossec-dev@xxxxxxxxx
        ReportedBy: dcid@xxxxxxxxx


From: Jérôme Tytgat <<jerome.tytgat _ at _ sioban.net>>

When Ossec send an email with several alerts inside, the level of the
first one is inserted in the Subject of the mail.

IMHO it should insert the Highest level of alert in the Subject.

It's especially a problem when multiples alerts of the same type are
triggered :

Return-Path: <ossecm@xxxxxxxx>
Received: from xxxxx.xxxx.net (xxxx.xxxx.net [xx.xx.xx.53])
   by xxxx.xxxx.net (envelope-from ossecm@xxxxxxxx)
(8.13.8/8.13.8/Debian-2) with ESMTP id k8F7Dw7k007618
   (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
   for <ossec@xxxxxxxx>; Fri, 15 Sep 2006 09:14:04 +0200
Received: from notify.ossec.net (localhost.localdomain [127.0.0.1])
   by xxxxx.xxxx.net (8.13.4/8.13.4/Debian-3sarge3) with SMTP id
k8F797Lt014109
   for <ossec@xxxxxxxx>; Fri, 15 Sep 2006 09:09:07 +0200
Message-Id: <200609150709.k8F797Lt014109@xxxxxxxxxxxxx>
To: <ossec@xxxxxxxx>
From: OSSEC HIDS <ossecm@xxxxxxxx>
Date: Fri, 15 Sep 2006 09:09:07 CEST
Subject: OSSEC Notification - yyyy - Alert level 7
X-Virus-Scanned-By: xxxx.xxxx.net, using SOPHIE & CLAMD
X-Spam-Scanned-By: xxxx.xxxx.net, using SpamAssassin 3.1.4 (hard limit 5)
X-Spam-Flag: No
X-Spam-Info: -9.865; BAYES_00,FORGED_RCVD_HELO
X-Scanned-By: MIMEDefang 2.57 on 10.XX.XX.1



OSSEC HIDS Notification.
2006 Sep 15 09:08:47

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod
Security."
Portion of the log(s):

[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500.
Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname
"www.xxxx.net"] [uri "/bin/ls"]



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:51

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod
Security."
Portion of the log(s):

[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500.
Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname
"www.xxxx.net"] [uri "/bin/ls"]



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:53

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod
Security."
Portion of the log(s):

[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500.
Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname
"www.xxxx.net"] [uri "/bin/ls"]



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:55

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod
Security."
Portion of the log(s):

[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500.
Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname
"www.xxxx.net"] [uri "/bin/ls"]



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:55

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod
Security."
Portion of the log(s):

[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500.
Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname
"www.xxxx.net"] [uri "/bin/ls"]



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:55

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod
Security."
Portion of the log(s):

[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500.
Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname
"www.xxxx.net"] [uri "/bin/ls"]



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:55

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod
Security."
Portion of the log(s):

[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500.
Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname
"www.xxxx.net"] [uri "/bin/ls"]



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:55

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130118 fired (level 14) -> "Multiple attempts blocked by Mod Security"
Portion of the log(s):

[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500.
Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname
"www.xxxx.net"] [uri "/bin/ls"]
[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500.
Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname
"www.xxxx.net"] [uri "/bin/ls"]
[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500.
Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname
"www.xxxx.net"] [uri "/bin/ls"]
[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500.
Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname
"www.xxxx.net"] [uri "/bin/ls"]
[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500.
Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname
"www.xxxx.net"] [uri "/bin/ls"]



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:55

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod
Security."
Portion of the log(s):

[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500.
Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname
"www.xxxx.net"] [uri "/bin/ls"]



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:55

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130118 fired (level 14) -> "Multiple attempts blocked by Mod Security"
Portion of the log(s):

[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500.
Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname
"www.xxxx.net"] [uri "/bin/ls"]
[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500.
Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname
"www.xxxx.net"] [uri "/bin/ls"]
[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500.
Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname
"www.xxxx.net"] [uri "/bin/ls"]
[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500.
Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname
"www.xxxx.net"] [uri "/bin/ls"]
[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500.
Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname
"www.xxxx.net"] [uri "/bin/ls"]



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:55

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod
Security."
Portion of the log(s):

[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500.
Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname
"www.xxxx.net"] [uri "/bin/ls"]



--END OF NOTIFICATION


-- 
Configure bugmail: http://www.ossec.net/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.