This makes sense, thanks. Will try it.
By the way, shouldn't this be in the default ossec ruleset for
mailscanner?
It's triggering on rule 1002 on the word 'bad'. But this isn't anything
bad. It's confirming
that the cronjob that updates phishing database is completed.
This is run on a default raspbian/debian installation with mailscanner
and ossec from the official repository. Didn't install any extra
packages or configurations for mailscanner.
Can anyone add this upstream to the mailscanner_rules.xml? If it is
confirmed to work that is.
--
Best regards,
Göran Lundberg
2017-02-15 21:05 skrev dan (ddp):
On Tue, Feb 14, 2017 at 7:11 PM, <security@lundberg.email> wrote:
Hi! I'm trying to remove these notifications from mailscanner.
OSSEC HIDS Notification.
2017 Feb 14 06:29:41
Received From: hostname->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
system."
Portion of the log(s):
Feb 14 06:29:39 hostname update.bad.phishing.sites: Phishing bad sites
list
updated
--END OF NOTIFICATION
I've tried to make a rule for it but it's not working. Any help is
appreciated!
<rule id="3752" level="0">
<if_sid>1002</if_sid>
<match>update.bad.phishing.sites: Phishing bad sites list
updated</match>
As you can see below, "update.bad.phishing.sites" is decoded as the
program name:
**Phase 1: Completed pre-decoding.
full event: 'Feb 14 06:29:39 hostname
update.bad.phishing.sites: Phishing bad sites list updated'
hostname: 'hostname'
program_name: 'update.bad.phishing.sites'
log: 'Phishing bad sites list updated'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
Using the rule:
<rule id="100067" level="0">
<if_sid>1002</if_sid>
<program_name>update.bad.phishing.sites</program_name>
<match>^Phishing bad sites list updated</match>
<description>ignore</description>
</rule>
Gives me the following output:
**Phase 1: Completed pre-decoding.
full event: 'Feb 14 06:29:39 hostname
update.bad.phishing.sites: Phishing bad sites list updated'
hostname: 'hostname'
program_name: 'update.bad.phishing.sites'
log: 'Phishing bad sites list updated'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '100067'
Level: '0'
Description: 'ignore'
<description>Ignore mailscanner update messages.</description>
</rule>
--
Göran Lundberg
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
---
You received this message because you are subscribed to the Google
Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
