On Mon, 10 Dec 2012 09:53:17 -0800 (PST) Scott <wa6...@gmail.com> wrote:
> I'm having trouble making a rule to eliminate this false positive,
> rule 1002 is kicking in:
>
> sendmail[24167]: qBAHj1gY023631: to=<fatal-err...@example.com>,
> delay=00:00:06, xdelay=00:00:05, mailer=esmtp, pri=120705,
> relay=xyz.example.com. [1.2.3.4], dsn=2.0.0, stat=Sent (Ok: queued as
> 4D47E343E84D)
>
> This *e-mail* was successful, even though it is sent to a mailbox for
> errors.
What have you tried?
If you are trying to completely suppress rule 1002 add a new rule
Rules/local_rules.xml and restart ossec, make sure the rule id you use isn't
already in use.
<rule id="100002" level="0">
<if_sid>1002</if_sid>
<description>Ignore</description>
</rule>
or you can just disable the email notifications:
<rule id="100002" level="7">
<if_sid>1002</if_sid>
<options>no_email_alert</options>
<description>Ignore</description>
</rule>
However if you are trying to just suppress this specific example I was getting
alerts on 1002 during snort startup due to logging this line:
Dec 10 12:08:41 goonsquad snort[2550]: Bad autodetects: 73
Here's what I've used to ignore the above:
<rule id="100006" level="0">
<if_sid>1002</if_sid>
<match>autodetects</match>
<description>Ignore snort startup</description>
</rule>
Hope that helps.
