Um - "error" and "fatal" both occur there, so what you really want to do is not alert on the string "fatal-errors@". (Who ever creates a mail username of "fatal-errors"? Must be an example.com issue.)
This was one of the first things I ever had to do in locally configuring rules for OSSEC. This is quite straightforward. What have you tried so far? I'd use "<if-sid>" and "<match>" for this, and of course put it in local_rules.xml. -- Shane Castle Data Security Mgr, Boulder County IT -----Original Message----- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Scott Sent: Monday, December 10, 2012 10:53 To: ossec-list@googlegroups.com Subject: [ossec-list] Help to eliminate false positive I'm having trouble making a rule to eliminate this false positive, rule 1002 is kicking in: sendmail[24167]: qBAHj1gY023631: to=<fatal-err...@example.com>, delay=00:00:06, xdelay=00:00:05, mailer=esmtp, pri=120705, relay=xyz.example.com. [1.2.3.4], dsn=2.0.0, stat=Sent (Ok: queued as 4D47E343E84D) This e-mail was successful, even though it is sent to a mailbox for errors.
