On Wed, Feb 15, 2017 at 4:08 PM, Göran Lundberg <security@lundberg.email> wrote: > This makes sense, thanks. Will try it. > > By the way, shouldn't this be in the default ossec ruleset for mailscanner? > It's triggering on rule 1002 on the word 'bad'. But this isn't anything bad. > It's confirming > that the cronjob that updates phishing database is completed. > > This is run on a default raspbian/debian installation with mailscanner and > ossec from the official repository. Didn't install any extra packages or > configurations for mailscanner. > > Can anyone add this upstream to the mailscanner_rules.xml? If it is > confirmed to work that is. >
Test it out and let me know. If it works as intended I'll try to put it in. > -- > Best regards, > Göran Lundberg > > > 2017-02-15 21:05 skrev dan (ddp): >> >> On Tue, Feb 14, 2017 at 7:11 PM, <security@lundberg.email> wrote: >>> >>> Hi! I'm trying to remove these notifications from mailscanner. >>> >>> >>> OSSEC HIDS Notification. >>> 2017 Feb 14 06:29:41 >>> >>> Received From: hostname->/var/log/syslog >>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >>> Portion of the log(s): >>> >>> Feb 14 06:29:39 hostname update.bad.phishing.sites: Phishing bad sites >>> list >>> updated >>> >>> >>> --END OF NOTIFICATION >>> >>> >>> I've tried to make a rule for it but it's not working. Any help is >>> appreciated! >>> >>> <rule id="3752" level="0"> >>> <if_sid>1002</if_sid> >>> <match>update.bad.phishing.sites: Phishing bad sites list updated</match> >> >> >> As you can see below, "update.bad.phishing.sites" is decoded as the >> program name: >> **Phase 1: Completed pre-decoding. >> full event: 'Feb 14 06:29:39 hostname >> update.bad.phishing.sites: Phishing bad sites list updated' >> hostname: 'hostname' >> program_name: 'update.bad.phishing.sites' >> log: 'Phishing bad sites list updated' >> >> **Phase 2: Completed decoding. >> No decoder matched. >> >> **Phase 3: Completed filtering (rules). >> Rule id: '1002' >> Level: '2' >> Description: 'Unknown problem somewhere in the system.' >> **Alert to be generated. >> >> Using the rule: >> <rule id="100067" level="0"> >> <if_sid>1002</if_sid> >> <program_name>update.bad.phishing.sites</program_name> >> <match>^Phishing bad sites list updated</match> >> <description>ignore</description> >> </rule> >> >> Gives me the following output: >> **Phase 1: Completed pre-decoding. >> full event: 'Feb 14 06:29:39 hostname >> update.bad.phishing.sites: Phishing bad sites list updated' >> hostname: 'hostname' >> program_name: 'update.bad.phishing.sites' >> log: 'Phishing bad sites list updated' >> >> **Phase 2: Completed decoding. >> No decoder matched. >> >> **Phase 3: Completed filtering (rules). >> Rule id: '100067' >> Level: '0' >> Description: 'ignore' >> >> >> >>> <description>Ignore mailscanner update messages.</description> >>> </rule> >>> >>> -- >>> Göran Lundberg >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+unsubscr...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send >> an email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > > --- You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.