It's working perfectly. Hope you can add it to the default rules for mailscanner. The script is run four times a day. It's really annoying getting 4 unnecessary emails per day.
Thanks a lot for the help! Best regards Göran Lundberg "dan (ddp)" <ddp...@gmail.com> skrev: (15 februari 2017 22:17:23 CET) >On Wed, Feb 15, 2017 at 4:08 PM, Göran Lundberg ><security@lundberg.email> wrote: >> This makes sense, thanks. Will try it. >> >> By the way, shouldn't this be in the default ossec ruleset for >mailscanner? >> It's triggering on rule 1002 on the word 'bad'. But this isn't >anything bad. >> It's confirming >> that the cronjob that updates phishing database is completed. >> >> This is run on a default raspbian/debian installation with >mailscanner and >> ossec from the official repository. Didn't install any extra packages >or >> configurations for mailscanner. >> >> Can anyone add this upstream to the mailscanner_rules.xml? If it is >> confirmed to work that is. >> > >Test it out and let me know. If it works as intended I'll try to put it >in. > >> -- >> Best regards, >> Göran Lundberg >> >> >> 2017-02-15 21:05 skrev dan (ddp): >>> >>> On Tue, Feb 14, 2017 at 7:11 PM, <security@lundberg.email> wrote: >>>> >>>> Hi! I'm trying to remove these notifications from mailscanner. >>>> >>>> >>>> OSSEC HIDS Notification. >>>> 2017 Feb 14 06:29:41 >>>> >>>> Received From: hostname->/var/log/syslog >>>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >system." >>>> Portion of the log(s): >>>> >>>> Feb 14 06:29:39 hostname update.bad.phishing.sites: Phishing bad >sites >>>> list >>>> updated >>>> >>>> >>>> --END OF NOTIFICATION >>>> >>>> >>>> I've tried to make a rule for it but it's not working. Any help is >>>> appreciated! >>>> >>>> <rule id="3752" level="0"> >>>> <if_sid>1002</if_sid> >>>> <match>update.bad.phishing.sites: Phishing bad sites list >updated</match> >>> >>> >>> As you can see below, "update.bad.phishing.sites" is decoded as the >>> program name: >>> **Phase 1: Completed pre-decoding. >>> full event: 'Feb 14 06:29:39 hostname >>> update.bad.phishing.sites: Phishing bad sites list updated' >>> hostname: 'hostname' >>> program_name: 'update.bad.phishing.sites' >>> log: 'Phishing bad sites list updated' >>> >>> **Phase 2: Completed decoding. >>> No decoder matched. >>> >>> **Phase 3: Completed filtering (rules). >>> Rule id: '1002' >>> Level: '2' >>> Description: 'Unknown problem somewhere in the system.' >>> **Alert to be generated. >>> >>> Using the rule: >>> <rule id="100067" level="0"> >>> <if_sid>1002</if_sid> >>> <program_name>update.bad.phishing.sites</program_name> >>> <match>^Phishing bad sites list updated</match> >>> <description>ignore</description> >>> </rule> >>> >>> Gives me the following output: >>> **Phase 1: Completed pre-decoding. >>> full event: 'Feb 14 06:29:39 hostname >>> update.bad.phishing.sites: Phishing bad sites list updated' >>> hostname: 'hostname' >>> program_name: 'update.bad.phishing.sites' >>> log: 'Phishing bad sites list updated' >>> >>> **Phase 2: Completed decoding. >>> No decoder matched. >>> >>> **Phase 3: Completed filtering (rules). >>> Rule id: '100067' >>> Level: '0' >>> Description: 'ignore' >>> >>> >>> >>>> <description>Ignore mailscanner update messages.</description> >>>> </rule> >>>> >>>> -- >>>> Göran Lundberg >>>> -- >>>> This message has been scanned for viruses and >>>> dangerous content by MailScanner, and is >>>> believed to be clean. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >Groups >>>> "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, >send an >>>> email to ossec-list+unsubscr...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, >send >>> an email to ossec-list+unsubscr...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> >> --- You received this message because you are subscribed to the >Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > >-- > >--- >You received this message because you are subscribed to the Google >Groups "ossec-list" group. >To unsubscribe from this group and stop receiving emails from it, send >an email to ossec-list+unsubscr...@googlegroups.com. >For more options, visit https://groups.google.com/d/optout. > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
