On Tue, Feb 14, 2017 at 7:11 PM, <security@lundberg.email> wrote: > Hi! I'm trying to remove these notifications from mailscanner. > > > OSSEC HIDS Notification. > 2017 Feb 14 06:29:41 > > Received From: hostname->/var/log/syslog > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Feb 14 06:29:39 hostname update.bad.phishing.sites: Phishing bad sites list > updated > > > --END OF NOTIFICATION > > > I've tried to make a rule for it but it's not working. Any help is > appreciated! > > <rule id="3752" level="0"> > <if_sid>1002</if_sid> > <match>update.bad.phishing.sites: Phishing bad sites list updated</match>
As you can see below, "update.bad.phishing.sites" is decoded as the program name: **Phase 1: Completed pre-decoding. full event: 'Feb 14 06:29:39 hostname update.bad.phishing.sites: Phishing bad sites list updated' hostname: 'hostname' program_name: 'update.bad.phishing.sites' log: 'Phishing bad sites list updated' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' **Alert to be generated. Using the rule: <rule id="100067" level="0"> <if_sid>1002</if_sid> <program_name>update.bad.phishing.sites</program_name> <match>^Phishing bad sites list updated</match> <description>ignore</description> </rule> Gives me the following output: **Phase 1: Completed pre-decoding. full event: 'Feb 14 06:29:39 hostname update.bad.phishing.sites: Phishing bad sites list updated' hostname: 'hostname' program_name: 'update.bad.phishing.sites' log: 'Phishing bad sites list updated' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '100067' Level: '0' Description: 'ignore' > <description>Ignore mailscanner update messages.</description> > </rule> > > -- > Göran Lundberg > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.