[ossec-list] Wrong alert level when ossec send several alert in one mail

Fri, 15 Sep 2006 01:25:57 -0700
When Ossec send an email with several alerts inside, the level of the first one is inserted 
in the Subject of the mail.

IMHO it should insert the Highest level of alert in the Subject.
It's specially a problem when multiple alerts of the same one are triggered : 

Return-Path: <[EMAIL PROTECTED]>
Received: from xxxxx.xxxx.net (xxxx.xxxx.net [xx.xx.xx.53])
by xxxx.xxxx.net (envelope-from [EMAIL PROTECTED]) (8.13.8/8.13.8/Debian-2) with ESMTP id k8F7Dw7k007618 
   (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
   for <[EMAIL PROTECTED]>; Fri, 15 Sep 2006 09:14:04 +0200
Received: from notify.ossec.net (localhost.localdomain [127.0.0.1])
by xxxxx.xxxx.net (8.13.4/8.13.4/Debian-3sarge3) with SMTP id k8F797Lt014109 
   for <[EMAIL PROTECTED]>; Fri, 15 Sep 2006 09:09:07 +0200
Message-Id: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
From: OSSEC HIDS <[EMAIL PROTECTED]>
Date: Fri, 15 Sep 2006 09:09:07 CEST
Subject: OSSEC Notification - yyyy - Alert level 7
X-Virus-Scanned-By: xxxx.xxxx.net, using SOPHIE & CLAMD
X-Spam-Scanned-By: xxxx.xxxx.net, using SpamAssassin 3.1.4 (hard limit 5)
X-Spam-Flag: No
X-Spam-Info: -9.865; BAYES_00,FORGED_RCVD_HELO
X-Scanned-By: MIMEDefang 2.57 on 10.XX.XX.1



OSSEC HIDS Notification.
2006 Sep 15 09:08:47

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod Security." 
Portion of the log(s):
[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] 



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:51

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod Security." 
Portion of the log(s):
[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] 



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:53

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod Security." 
Portion of the log(s):
[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] 



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:55

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod Security." 
Portion of the log(s):
[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] 



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:55

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod Security." 
Portion of the log(s):
[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] 



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:55

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod Security." 
Portion of the log(s):
[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] 



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:55

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod Security." 
Portion of the log(s):
[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] 



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:55

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130118 fired (level 14) -> "Multiple attempts blocked by Mod Security"
Portion of the log(s):
[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] 



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:55

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod Security." 
Portion of the log(s):
[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] 



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:55

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130118 fired (level 14) -> "Multiple attempts blocked by Mod Security"
Portion of the log(s):
[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] [error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] 



--END OF NOTIFICATION



OSSEC HIDS Notification.
2006 Sep 15 09:08:55

Received From: yyyy->/var/log/apache2/www.xxxx.net.error.log
Rule: 130117 fired (level 7) -> "Attempt to access forbidden by Mod Security." 
Portion of the log(s):
[error] [client aa.bb.cc.dd] mod_security: Access denied with code 500. Pattern match "/bin/ls" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.xxxx.net"] [uri "/bin/ls"] 



--END OF NOTIFICATION

Reply via email to