Re: [ossec-list] Supressing notification {Scanned}

Wed, 15 Feb 2017 12:06:06 -0800 

On Tue, Feb 14, 2017 at 7:11 PM,  <security@lundberg.email> wrote:
> Hi! I'm trying to remove these notifications from mailscanner.
>
>
> OSSEC HIDS Notification.
> 2017 Feb 14 06:29:41
>
> Received From: hostname->/var/log/syslog
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Feb 14 06:29:39 hostname update.bad.phishing.sites: Phishing bad sites list
> updated
>
>
> --END OF NOTIFICATION
>
>
> I've tried to make a rule for it but it's not working. Any help is
> appreciated!
>
> <rule id="3752" level="0">
> <if_sid>1002</if_sid>
> <match>update.bad.phishing.sites: Phishing bad sites list updated</match>

As you can see below, "update.bad.phishing.sites" is decoded as the
program name:
**Phase 1: Completed pre-decoding.
       full event: 'Feb 14 06:29:39 hostname
update.bad.phishing.sites: Phishing bad sites list updated'
       hostname: 'hostname'
       program_name: 'update.bad.phishing.sites'
       log: 'Phishing bad sites list updated'

**Phase 2: Completed decoding.
       No decoder matched.

**Phase 3: Completed filtering (rules).
       Rule id: '1002'
       Level: '2'
       Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.

Using the rule:
  <rule id="100067" level="0">
      <if_sid>1002</if_sid>
      <program_name>update.bad.phishing.sites</program_name>
      <match>^Phishing bad sites list updated</match>
      <description>ignore</description>
  </rule>

Gives me the following output:
**Phase 1: Completed pre-decoding.
       full event: 'Feb 14 06:29:39 hostname
update.bad.phishing.sites: Phishing bad sites list updated'
       hostname: 'hostname'
       program_name: 'update.bad.phishing.sites'
       log: 'Phishing bad sites list updated'

**Phase 2: Completed decoding.
       No decoder matched.

**Phase 3: Completed filtering (rules).
       Rule id: '100067'
       Level: '0'
       Description: 'ignore'



> <description>Ignore mailscanner update messages.</description>
> </rule>
>
> --
> Göran Lundberg
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to