[Ossec-list] ossec-hids-0.7p1 questions

[kayvan at sylvan.com (Kayvan A. Sylvan)]

Hi everyone!

I ran into OSSEC and it helped a friend of mine rid his system of a
hidden root-kit. Bravo!

Now, I have it installed on a couple of different servers.

First, one small problem:

The default configuration generates emails coming from "ossect at YOURHOST".
However, the installation creates the following users: ossec, ossecm,
ossece, ossecr. There is no ossect user created.

If your MTA is set up to do sender verification (like exim), it will
reject all mail generated by OSSEC.

In order to fix this, I had to make the mail come from "ossecm".

Next, my questions:

1) I am getting lots of emails like this from OSSEC:

   Received From: /var/log/messages
   Rule: 102 fired (level 7) -> "Possible problem (unknown) somewhere
   in the system"
   Portion of the log(s):

   "named[3271]: client 69.51.117.46#12601: update 'sylvan.com/IN' denied
   "

   How am I supposed to fix (or ignore) this?

2) Another similar notification:

   Received From: /var/log/messages
   Rule: 102 fired (level 7) -> "Possible problem (unknown) somewhere
   in the system"
   Portion of the log(s):

   "xinetd[9440]: libwrap refused connection to imap (libwrap=imapd) from
   216.25.10.69
   "

   Again, how do I fix this (or shut this up)?

3) What do the levels signify? Is level 7 worse or better than level 1?

Thanks a lot for OSSEC and for your answers!

			---Kayvan
-- 
Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen.    | Robin Gregory (2/28/92)