[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: Ossec Problem: email_alert_level not being honored. Alert level 3 received in mail.
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: Ossec Problem: email_alert_level not being honored. Alert level 3 received in mail.
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Thu, 26 Jul 2007 21:56:11 -0300
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=f2IAv98/yuNXvIqdEkPUQcmhUwxbZg/ZYRynnNMqGoEsRw0pgYQf+HLn+1IubyGd18eLD11EF9aYYh1hcJpnRi0TZvADDuaE6vqFd2rAHs3VGaQmbOmcAG//gaBJhgv2Yq0wG8XUDQqplLiXhlSEnXbpzkm52qKPb4izlW7pD64=
Hi Will,
You need to create a local rule to ignore/change it. Our FAQ has
information about it:
http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
My presentation at AusCERT also helps to understand it:
http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
A step by step in your case would be:
1- Edit /var/ossec/rules/local_rules.xml and add the following:
<group name="local">
<rule id="100101" level="3">
<if_sid>18119</if_sid>
<hostname>termsrv1</hostname>
<description>First time this user logged in this system -- no email
alert</description>
</rule>
</group>
2- Restart ossec.
By making this change, all "first time" alerts from host termserv1
will have only a
severity of 3, without the "alert_by_email" option...
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/26/07, Will Froning <will.froning@xxxxxxxxx> wrote:
>
> Hello Daniel,
>
> On 7/26/07, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
> >
> > Hey,
> >
> > If I am not misunderstanding the problem, this is not a bug on ossec,
> > but it happens because some rules have:
> >
> > <options>alert_by_email</options>
> >
> > to bypass the default e-mail alerting level.
> >
> > Check out:
> > http://www.ossec.net/ossec-list/2007-July/msg00034.html
> > http://www.ossec.net/ossec-list/2007-July/msg00035.html
> >
> > If that's not it, let me know and we can try to figure out what is happening...
> >
>
> That was it. My bad. So I found one of the offending rules in
> rules/msauth_rules.xml. How would I go about disabling it for just
> one server?
>
> The example is, we have a terminal server where potentially over 1000
> new users may use it in a semester. For these types of servers it
> wouldn't provide any additional information to send me 1000 of the
> below messages as it's normal:
>
> Received From: (termsrv1) 192.168.35.40->WinEvtLog
> Rule: 18119 fired (level 3) -> "First time this user logged in this system."
>
> This is a Solaris 10 server with W2k3 agent.
>
> The manual and list archives didn't clue me in, so any help would be great.
>
> Thanks,
> Will
>
> > Thanks,
> >
> > --
> > Daniel B. Cid
> > dcid ( at ) ossec.net
> >
> >
> > On 7/25/07, Will Froning <will.froning@xxxxxxxxx> wrote:
> > >
> > > Hello All,
> > >
> > > On 7/25/07, Will Froning <will.froning@xxxxxxxxx> wrote:
> > > > Hello All,
> > > >
> > > > Here's a "me too" message on this. Server/agent with the most recent
> > > > snapshot I could find running on Solaris 10.
> > > >
> > >
> > > I just confirmed that this is still happening with
> > > ossec-hids-070722.tar.gz. Any suggestions on tracking this down?
> > >
> > > Thanks,
> > > Will
> > >
> > >
> > > > On 7/25/07, Clayton Dillard <cdillard@xxxxxxxxxxxxxxxxx> wrote:
> > > > >
> > > > > I too have this issue. My ossec.conf file is the same as Frank's
> > > > > (defaults) and yet I receive alerts daily that are at levels below 7. I
> > > > > have a server/agent setup.
> > > > >
> > > > > Thanks,
> > > > >
> > > > > - Cheers
> > > > > Clayton Dillard
> > > > >
> > > > > Frank Spierings wrote:
> > > > > > Hi people,
> > > > > >
> > > > > > I have a problem with my OSSEC server.
> > > > > > The ossec.conf is pretty default. I only changed the email to address.
> > > > > >
> > > > > > This is the only alerts group in the file:
> > > > > > <alerts>
> > > > > > <log_alert_level>1</log_alert_level>
> > > > > > <email_alert_level>7</email_alert_level>
> > > > > > </alerts>
> > > > > >
> > > > > > Still I'm receiving "ossec agent started" emails from the server,
> > > > > > which are level 3. I checked out the specific rule, but I dont see any
> > > > > > indication why it should send me these mails.
> > > > > > Any idea where I should start my quest?
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Frank Spierings
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Will Froning
> > > > Unix SysAdmin
> > > > Will.Froning@xxxxxxxxx
> > > > MSN: wfroning@xxxxxxxx
> > > > YIM: will_froning
> > > > AIM: willfroning
> > > >
> > >
> > >
> > > --
> > > Will Froning
> > > Unix SysAdmin
> > > Will.Froning@xxxxxxxxx
> > > MSN: wfroning@xxxxxxxx
> > > YIM: will_froning
> > > AIM: willfroning
> > >
> >
>
>
> --
> Will Froning
> Unix SysAdmin
> Will.Froning@xxxxxxxxx
> MSN: wfroning@xxxxxxxx
> YIM: will_froning
> AIM: willfroning
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.