[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Rules for SELINUX, Cyrus-IMAPd, and rule tweaking

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Rules for SELINUX, Cyrus-IMAPd, and rule tweaking
From: Justin Shore <justin@xxxxxxxxxxxxxxx>
Date: Fri, 20 Jul 2007 11:46:15 -0500

Greetings, all.  I'm on my first OSSEC install and I like what I've seen 
so far.  I have however run into a couple inbox-cluttering problems. 
OSSEC seems to be hung up on the syslog entries generated by 
Cyrus-IMAPd, SELINUX, and even my Sendmail for "rejected messages".


** Alert 1184907608.3079: mail  - syslog,errors,
2007 Jul 20 00:00:08 perseus->/var/log/maillog
Rule: 1002 (level 7) -> 'Unknown problem somewhere in the system.'
Src IP: (none)
User: (none)
Jul 20 00:00:06 perseus lmtpunix[6559]: IOERROR: fstating sieve script 
/var/lib/imap/sieve/r/root/defaultbc: No such file or directory


** Alert 1184907602.897: mail  - syslog,errors,
2007 Jul 20 00:00:02 perseus->/var/log/messages
Rule: 1002 (level 7) -> 'Unknown problem somewhere in the system.'
Src IP: (none)
User: (none)
Jul 20 00:00:01 perseus kernel: audit(1184907601.074:15041): avc: 
denied  { read } for  pid=6579 comm="rndc" name="[563504
9]" dev=pipefs ino=5635049 scontext=root:system_r:ndc_t:s0-s0:c0.c255 
tcontext=user_u:system_r:crond_t:s0-s0:c0.c255 tclass
=fifo_file


** Alert 1184908490.11881: - syslog,sendmail,
2007 Jul 20 00:14:50 perseus->/var/log/maillog
Rule: 3107 (level 4) -> 'Sendmail rejected message.'
Src IP: (none)
User: (none)
Jul 20 00:14:49 perseus sendmail[7015]: l6K5EfIw007015: Milter: 
to=<user@xxxxxxxxxx>, reject=554 5.7.1 218.162.213.174: on real-time 
blacklist zen.spamhaus.org


Given that this is a mail server I would expect more than a few of the 
Cyrus and Sendmail log entries (which explains my rather full inbox).  I 
also don't care about the SELINUX messages.  I forgot to disable SELINUX 
when I built this box and haven't gotten around to it since.  The 
SELINUX messages weren't an issue until I had something watching my logs.

Does anyone have a rules file for Cyrus by chance?  I'm guessing that 
someone else out there is already running OSSEC and Cyrus together so I 
thought I'd ask before I write them myself.

Does anyone have a rules file for SELINUX log entries?  Someday I'd like 
to tackle the SELINUX learning curve to see if I can make use of it.  In 
the mean time I'd just like to ignore all SELINUX-related fluff.

The Sendmail message is caused by rule 3107.  However I really don't 
care if I reject a message.  I reject thousands of them per day on this 
mail server and many more on our production systems.  I've been looking 
through the docs and have found instructions on rule creation including 
some wording about levels (1-16).  However I haven't been able to find 
anything that says what each end of the levels correspond to.  Ie, what 
direction does increased severity go, up or down on the scale?  I'm a 
little confused on exactly how this rule works:

   <rule id="3107" level="4">
     <if_sid>3101</if_sid>
     <description>Sendmail rejected message.</description>
   </rule>

Looking at the other rules I see regexs matching parts of log entries on 
<match> lines.  3107 doesn't have a match though so how is it matching 
the rejected message strings?  Am I looking at this wrong?

Thanks
  Justin

Prev by Date: [ossec-list] Alerts not mailing out, OSSEC 1.2 and Ubuntu Feisty
Next by Date: [ossec-list] Re: Alerts not mailing out, OSSEC 1.2 and Ubuntu Feisty
Previous by thread: [ossec-list] Re: Alerts not mailing out, OSSEC 1.2 and Ubuntu Feisty
Next by thread: [ossec-list] ossec removal question
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.