subject:"\[ossec\-list\] Alert fires, but no email generated\?"

Re: [ossec-list] Alert fires, but no email generated?

2016-02-29 Thread Fredrik

Hi All!


Did some more testing earlier this afternoon and actually got the email to 
be sent. I removed the alert_by_email option and just let the rule fire by 
its level=12 classification. Restarted the ossec service, which I had done 
in the past multiple times.

I will circle back to this one, but will move on and work on all the other 
decoder/rules that I'm hoping to be able to piece together. Thanks again 
for your help on this!

Best regards,
Fredrik 


On Wednesday, February 24, 2016 at 7:28:05 AM UTC+1, Fredrik wrote:
>
> Thanks Santiago, please find more details below.
>
> Best regards,
> Fredrik 
>
> Yes, I see the alert written to alerts.log (pulled the alert below out of 
> the archive from yesterday) and email alerts are working for other rules. I 
> also restarted ossec but to no avail. Strange! 
>
> ossec-alerts-23.log.gz:
> Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr 
> SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar 
> Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 
> AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\
> 748789-14f29c54 Quarantine Succeeded
>
> ossec.conf:
>  
>1
>7
>  
>
>
>  
>
> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett 
> wrote:
>>
>> Did you say other alerts are triggering emails correctly? Everything 
>> looks good to me, but here are some questions that might help troubleshoot 
>> the problem.
>>
>> Do you see the alert in alerts.log file?
>> Have you configured other global email settings? 
>> What is your email_alerts_level?
>>
>>
>> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik  wrote:
>>
>>> Hi All,
>>>
>>> Another question for all you Ossec gurus. I have another rule set up to 
>>> handle messages in a somewhat strange format (below). I would like this to 
>>> ultimately trigger an email alert - which is working for other rules. 
>>>
>>> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com 
>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection 
>>> time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\
>>> LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine 
>>> Succeeded
>>>
>>> I see that an alert is written to alerts.log, and ossec-logtest finished 
>>> processing with **Alert to be generated. However, no email is sent? 
>>>
>>> 
>>>
>>>MSSCEP
>>>alert_by_email
>>>SCEP malware alert
>>>   
>>> 
>>>
>>> As I wasn't sure how to best extract fields from the message above, the 
>>> decoder simply matches on , please feel free to suggest 
>>> variants to decode the message and make use of the fields available in 
>>> OSSEC. Perhaps my failure to do so, can have something to do with the 
>>> missing email alert?
>>>
>>> 
>>>   SCEP
>>>   syslog
>>> 
>>>
>>>
>>> Finally, output from ossec-logtest:
>>>
>>> **Phase 1: Completed pre-decoding.
>>>full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware 
>>> alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of 
>>> infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM 
>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
>>>  
>>> Quarantine Succeeded'
>>>hostname: 'ossec-srv'
>>>program_name: 'SCEP'
>>>log: 'Malware alert: client2.domain.com 
>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection 
>>> time(UTC time): 8/5/2013 10:42:41 AM 
>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
>>>  
>>> Quarantine Succeeded'
>>>
>>> **Phase 2: Completed decoding.
>>>decoder: 'MSSCEP'
>>>
>>> **Phase 3: Completed filtering (rules).
>>>Rule id: '100130'
>>>Level: '12'
>>>Description: 'SCEP malware alert'
>>> **Alert to be generated.
>>>
>>> Best regards,
>>> Fredrik 
>>>
>>> -- 
>>>
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Alert fires, but no email generated?

2016-02-29 Thread Fredrik

Hi Eero! Thanks again. I will read up on mail configurations for OSSEC to 
make sure I have incorporated the requirements in my setup - any pointer to 
a good resource? Will start with the online docs and books I have on topic 
:)

You don't have any other tips on what could be worth investigating, given 
that email_alerts seems is working for other rules?

Best regards,
Fredrik 

On Wednesday, February 24, 2016 at 8:48:41 AM UTC+1, Eero Volotinen wrote:
>
> You should also point your ossec mail configuration to local smtp 
> instance. 
>
> --
> Eero
>
> 2016-02-24 9:34 GMT+02:00 Fredrik :
>
>> Thanks Eero!
>>
>> Yes, this works in my setup :) Tried it to make sure. Sendmail is 
>> installed on this particular box, so changed mail into sendmail and fired 
>> away :)
>>
>> Best regards,
>> Fredrik 
>>
>> On Wednesday, February 24, 2016 at 8:12:41 AM UTC+1, Eero Volotinen wrote:
>>>
>>> is this working on your ossec server:
>>>
>>> echo foo | mail youremail@yourdomain -s 'test'
>>>
>>> could you give example of your mail configuration? 
>>>
>>> Eero
>>>
>>> 2016-02-24 9:00 GMT+02:00 Fredrik :
>>>
 Thanks Eero!

 Anything specific to look for that could conflict with this particular 
 alert - mail alerts seems to be working fine for other rules? 

 I checked the mail.info for anything obvious, but couldn't see 
 anything suspicious at a first glance...

 Best regards,
 Fredrik 

 On Wednesday, February 24, 2016 at 7:54:43 AM UTC+1, Eero Volotinen 
 wrote:
>
> Please check your mail server configuration?
>
> 2016-02-24 8:28 GMT+02:00 Fredrik :
>
>> Thanks Santiago, please find more details below.
>>
>> Best regards,
>> Fredrik 
>>
>> Yes, I see the alert written to alerts.log (pulled the alert below 
>> out of the archive from yesterday) and email alerts are working for 
>> other 
>> rules. I also restarted ossec but to no avail. Strange! 
>>
>> ossec-alerts-23.log.gz:
>> Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec
>> -svr SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-
>> 2012-1723!jar Number of infections: 1 Last detection time(UTC time): 
>> 8/5/2013 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\
>> Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded
>>
>> ossec.conf:
>>  
>>1
>>7
>>  
>>
>>
>>  
>>
>> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett 
>> wrote:
>>>
>>> Did you say other alerts are triggering emails correctly? Everything 
>>> looks good to me, but here are some questions that might help 
>>> troubleshoot 
>>> the problem.
>>>
>>> Do you see the alert in alerts.log file?
>>> Have you configured other global email settings? 
>>> What is your email_alerts_level?
>>>
>>>
>>> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik  
>>> wrote:
>>>
 Hi All,

 Another question for all you Ossec gurus. I have another rule set 
 up to handle messages in a somewhat strange format (below). I would 
 like 
 this to ultimately trigger an email alert - which is working for other 
 rules. 

 Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.
 domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 1 
 Last detection time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\
 user1\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-
 14f29c54 Quarantine Succeeded

 I see that an alert is written to alerts.log, and ossec-logtest 
 finished processing with **Alert to be generated. However, no email is 
 sent? 

MSSCEP
alert_by_email
SCEP malware alert

 As I wasn't sure how to best extract fields from the message above, 
 the decoder simply matches on , please feel free to 
 suggest 
 variants to decode the message and make use of the fields available in 
 OSSEC. Perhaps my failure to do so, can have something to do with the 
 missing email alert?

   SCEP
   syslog

 Finally, output from ossec-logtest:

 **Phase 1: Completed pre-decoding.
full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware 
 alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of 
 infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM 
 file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54

 Quarantine Succeeded'
hostname: 'ossec-srv'

Re: [ossec-list] Alert fires, but no email generated?

2016-02-23 Thread Fredrik

Thanks Eero!

Yes, this works in my setup :) Tried it to make sure. Sendmail is installed 
on this particular box, so changed mail into sendmail and fired away :)

Best regards,
Fredrik 

On Wednesday, February 24, 2016 at 8:12:41 AM UTC+1, Eero Volotinen wrote:
>
> is this working on your ossec server:
>
> echo foo | mail youremail@yourdomain -s 'test'
>
> could you give example of your mail configuration? 
>
> Eero
>
> 2016-02-24 9:00 GMT+02:00 Fredrik :
>
>> Thanks Eero!
>>
>> Anything specific to look for that could conflict with this particular 
>> alert - mail alerts seems to be working fine for other rules? 
>>
>> I checked the mail.info for anything obvious, but couldn't see anything 
>> suspicious at a first glance...
>>
>> Best regards,
>> Fredrik 
>>
>> On Wednesday, February 24, 2016 at 7:54:43 AM UTC+1, Eero Volotinen wrote:
>>>
>>> Please check your mail server configuration?
>>>
>>> 2016-02-24 8:28 GMT+02:00 Fredrik :
>>>
 Thanks Santiago, please find more details below.

 Best regards,
 Fredrik 

 Yes, I see the alert written to alerts.log (pulled the alert below out 
 of the archive from yesterday) and email alerts are working for other 
 rules. I also restarted ossec but to no avail. Strange! 

 ossec-alerts-23.log.gz:
 Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr 
 SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-
 1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/
 2013 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\
 Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded

 ossec.conf:
  
1
7
  


  

 On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett 
 wrote:
>
> Did you say other alerts are triggering emails correctly? Everything 
> looks good to me, but here are some questions that might help 
> troubleshoot 
> the problem.
>
> Do you see the alert in alerts.log file?
> Have you configured other global email settings? 
> What is your email_alerts_level?
>
>
> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik  wrote:
>
>> Hi All,
>>
>> Another question for all you Ossec gurus. I have another rule set up 
>> to handle messages in a somewhat strange format (below). I would like 
>> this 
>> to ultimately trigger an email alert - which is working for other rules. 
>>
>> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com 
>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last 
>> detection time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\
>> AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 
>> Quarantine Succeeded
>>
>> I see that an alert is written to alerts.log, and ossec-logtest 
>> finished processing with **Alert to be generated. However, no email is 
>> sent? 
>>
>> 
>>
>>MSSCEP
>>alert_by_email
>>SCEP malware alert
>>   
>> 
>>
>> As I wasn't sure how to best extract fields from the message above, 
>> the decoder simply matches on , please feel free to 
>> suggest 
>> variants to decode the message and make use of the fields available in 
>> OSSEC. Perhaps my failure to do so, can have something to do with the 
>> missing email alert?
>>
>> 
>>   SCEP
>>   syslog
>> 
>>
>>
>> Finally, output from ossec-logtest:
>>
>> **Phase 1: Completed pre-decoding.
>>full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware 
>> alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of 
>> infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM 
>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
>>  
>> Quarantine Succeeded'
>>hostname: 'ossec-srv'
>>program_name: 'SCEP'
>>log: 'Malware alert: client2.domain.com 
>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection 
>> time(UTC time): 8/5/2013 10:42:41 AM 
>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
>>  
>> Quarantine Succeeded'
>>
>> **Phase 2: Completed decoding.
>>decoder: 'MSSCEP'
>>
>> **Phase 3: Completed filtering (rules).
>>Rule id: '100130'
>>Level: '12'
>>Description: 'SCEP malware alert'
>> **Alert to be generated.
>>
>> Best regards,
>> Fredrik 
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google 
>> Groups "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, 
>> send an email to

Re: [ossec-list] Alert fires, but no email generated?

2016-02-23 Thread Eero Volotinen

is this working on your ossec server:

echo foo | mail youremail@yourdomain -s 'test'

could you give example of your mail configuration?

Eero

2016-02-24 9:00 GMT+02:00 Fredrik :

> Thanks Eero!
>
> Anything specific to look for that could conflict with this particular
> alert - mail alerts seems to be working fine for other rules?
>
> I checked the mail.info for anything obvious, but couldn't see anything
> suspicious at a first glance...
>
> Best regards,
> Fredrik
>
> On Wednesday, February 24, 2016 at 7:54:43 AM UTC+1, Eero Volotinen wrote:
>>
>> Please check your mail server configuration?
>>
>> 2016-02-24 8:28 GMT+02:00 Fredrik :
>>
>>> Thanks Santiago, please find more details below.
>>>
>>> Best regards,
>>> Fredrik
>>>
>>> Yes, I see the alert written to alerts.log (pulled the alert below out
>>> of the archive from yesterday) and email alerts are working for other
>>> rules. I also restarted ossec but to no avail. Strange!
>>>
>>> ossec-alerts-23.log.gz:
>>> Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr
>>> SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-
>>> 1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/2013
>>> 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\
>>> cache\6.0\9\748789-14f29c54 Quarantine Succeeded
>>>
>>> ossec.conf:
>>>  
>>>1
>>>7
>>>  
>>>
>>>
>>>
>>>
>>> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett
>>> wrote:

 Did you say other alerts are triggering emails correctly? Everything
 looks good to me, but here are some questions that might help troubleshoot
 the problem.

 Do you see the alert in alerts.log file?
 Have you configured other global email settings?
 What is your email_alerts_level?


 On Tue, Feb 23, 2016 at 12:11 PM, Fredrik  wrote:

> Hi All,
>
> Another question for all you Ossec gurus. I have another rule set up
> to handle messages in a somewhat strange format (below). I would like this
> to ultimately trigger an email alert - which is working for other rules.
>
> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com
> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection
> time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\
> LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine
> Succeeded
>
> I see that an alert is written to alerts.log, and ossec-logtest
> finished processing with **Alert to be generated. However, no email is
> sent?
>
> 
>
>MSSCEP
>alert_by_email
>SCEP malware alert
>   
> 
>
> As I wasn't sure how to best extract fields from the message above,
> the decoder simply matches on , please feel free to suggest
> variants to decode the message and make use of the fields available in
> OSSEC. Perhaps my failure to do so, can have something to do with the
> missing email alert?
>
> 
>   SCEP
>   syslog
> 
>
>
> Finally, output from ossec-logtest:
>
> **Phase 1: Completed pre-decoding.
>full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware
> alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of
> infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM
> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
> Quarantine Succeeded'
>hostname: 'ossec-srv'
>program_name: 'SCEP'
>log: 'Malware alert: client2.domain.com
> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection
> time(UTC time): 8/5/2013 10:42:41 AM
> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
> Quarantine Succeeded'
>
> **Phase 2: Completed decoding.
>decoder: 'MSSCEP'
>
> **Phase 3: Completed filtering (rules).
>Rule id: '100130'
>Level: '12'
>Description: 'SCEP malware alert'
> **Alert to be generated.
>
> Best regards,
> Fredrik
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

 --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to

Re: [ossec-list] Alert fires, but no email generated?

2016-02-23 Thread Fredrik

Thanks Eero!

Anything specific to look for that could conflict with this particular 
alert - mail alerts seems to be working fine for other rules? 

I checked the mail.info for anything obvious, but couldn't see anything 
suspicious at a first glance...

Best regards,
Fredrik 

On Wednesday, February 24, 2016 at 7:54:43 AM UTC+1, Eero Volotinen wrote:
>
> Please check your mail server configuration?
>
> 2016-02-24 8:28 GMT+02:00 Fredrik :
>
>> Thanks Santiago, please find more details below.
>>
>> Best regards,
>> Fredrik 
>>
>> Yes, I see the alert written to alerts.log (pulled the alert below out of 
>> the archive from yesterday) and email alerts are working for other rules. I 
>> also restarted ossec but to no avail. Strange! 
>>
>> ossec-alerts-23.log.gz:
>> Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr 
>> SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723
>> !jar Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:
>> 42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\
>> 6.0\9\748789-14f29c54 Quarantine Succeeded
>>
>> ossec.conf:
>>  
>>1
>>7
>>  
>>
>>
>>  
>>
>> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett 
>> wrote:
>>>
>>> Did you say other alerts are triggering emails correctly? Everything 
>>> looks good to me, but here are some questions that might help troubleshoot 
>>> the problem.
>>>
>>> Do you see the alert in alerts.log file?
>>> Have you configured other global email settings? 
>>> What is your email_alerts_level?
>>>
>>>
>>> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik  wrote:
>>>
 Hi All,

 Another question for all you Ossec gurus. I have another rule set up to 
 handle messages in a somewhat strange format (below). I would like this to 
 ultimately trigger an email alert - which is working for other rules. 

 Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com 
 Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection 
 time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\
 LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine 
 Succeeded

 I see that an alert is written to alerts.log, and ossec-logtest 
 finished processing with **Alert to be generated. However, no email is 
 sent? 

MSSCEP
alert_by_email
SCEP malware alert

 As I wasn't sure how to best extract fields from the message above, the 
 decoder simply matches on , please feel free to suggest 
 variants to decode the message and make use of the fields available in 
 OSSEC. Perhaps my failure to do so, can have something to do with the 
 missing email alert?

   SCEP
   syslog

 Finally, output from ossec-logtest:

 **Phase 1: Completed pre-decoding.
full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware 
 alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of 
 infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM 
 file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54

 Quarantine Succeeded'
hostname: 'ossec-srv'
program_name: 'SCEP'
log: 'Malware alert: client2.domain.com 
 Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection 
 time(UTC time): 8/5/2013 10:42:41 AM 
 file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54

 Quarantine Succeeded'

 **Phase 2: Completed decoding.
decoder: 'MSSCEP'

 **Phase 3: Completed filtering (rules).
Rule id: '100130'
Level: '12'
Description: 'SCEP malware alert'
 **Alert to be generated.

 Best regards,
 Fredrik 

 -- 

 --- 
 You received this message because you are subscribed to the Google 
 Groups "ossec-list" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

>>>
>>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Alert fires, but no email generated?

2016-02-23 Thread Eero Volotinen

Please check your mail server configuration?

2016-02-24 8:28 GMT+02:00 Fredrik :

> Thanks Santiago, please find more details below.
>
> Best regards,
> Fredrik
>
> Yes, I see the alert written to alerts.log (pulled the alert below out of
> the archive from yesterday) and email alerts are working for other rules. I
> also restarted ossec but to no avail. Strange!
>
> ossec-alerts-23.log.gz:
> Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr
> SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar
> Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41
> AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\
> 748789-14f29c54 Quarantine Succeeded
>
> ossec.conf:
>  
>1
>7
>  
>
>
>
>
> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett
> wrote:
>>
>> Did you say other alerts are triggering emails correctly? Everything
>> looks good to me, but here are some questions that might help troubleshoot
>> the problem.
>>
>> Do you see the alert in alerts.log file?
>> Have you configured other global email settings?
>> What is your email_alerts_level?
>>
>>
>> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik  wrote:
>>
>>> Hi All,
>>>
>>> Another question for all you Ossec gurus. I have another rule set up to
>>> handle messages in a somewhat strange format (below). I would like this to
>>> ultimately trigger an email alert - which is working for other rules.
>>>
>>> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com
>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection
>>> time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\
>>> LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine
>>> Succeeded
>>>
>>> I see that an alert is written to alerts.log, and ossec-logtest finished
>>> processing with **Alert to be generated. However, no email is sent?
>>>
>>> 
>>>
>>>MSSCEP
>>>alert_by_email
>>>SCEP malware alert
>>>   
>>> 
>>>
>>> As I wasn't sure how to best extract fields from the message above, the
>>> decoder simply matches on , please feel free to suggest
>>> variants to decode the message and make use of the fields available in
>>> OSSEC. Perhaps my failure to do so, can have something to do with the
>>> missing email alert?
>>>
>>> 
>>>   SCEP
>>>   syslog
>>> 
>>>
>>>
>>> Finally, output from ossec-logtest:
>>>
>>> **Phase 1: Completed pre-decoding.
>>>full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware
>>> alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of
>>> infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM
>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
>>> Quarantine Succeeded'
>>>hostname: 'ossec-srv'
>>>program_name: 'SCEP'
>>>log: 'Malware alert: client2.domain.com
>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection
>>> time(UTC time): 8/5/2013 10:42:41 AM
>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
>>> Quarantine Succeeded'
>>>
>>> **Phase 2: Completed decoding.
>>>decoder: 'MSSCEP'
>>>
>>> **Phase 3: Completed filtering (rules).
>>>Rule id: '100130'
>>>Level: '12'
>>>Description: 'SCEP malware alert'
>>> **Alert to be generated.
>>>
>>> Best regards,
>>> Fredrik
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Alert fires, but no email generated?

2016-02-23 Thread Fredrik

Thanks Santiago, please find more details below.

Best regards,
Fredrik 

Yes, I see the alert written to alerts.log (pulled the alert below out of 
the archive from yesterday) and email alerts are working for other rules. I 
also restarted ossec but to no avail. Strange! 

ossec-alerts-23.log.gz:
Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr 
SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar 
Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM 
file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-
14f29c54 Quarantine Succeeded

ossec.conf:
 
   1
   7
 


 

On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett wrote:
>
> Did you say other alerts are triggering emails correctly? Everything looks 
> good to me, but here are some questions that might help troubleshoot the 
> problem.
>
> Do you see the alert in alerts.log file?
> Have you configured other global email settings? 
> What is your email_alerts_level?
>
>
> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik  > wrote:
>
>> Hi All,
>>
>> Another question for all you Ossec gurus. I have another rule set up to 
>> handle messages in a somewhat strange format (below). I would like this to 
>> ultimately trigger an email alert - which is working for other rules. 
>>
>> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com 
>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection 
>> time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\
>> LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine 
>> Succeeded
>>
>> I see that an alert is written to alerts.log, and ossec-logtest finished 
>> processing with **Alert to be generated. However, no email is sent? 
>>
>> 
>>
>>MSSCEP
>>alert_by_email
>>SCEP malware alert
>>   
>> 
>>
>> As I wasn't sure how to best extract fields from the message above, the 
>> decoder simply matches on , please feel free to suggest 
>> variants to decode the message and make use of the fields available in 
>> OSSEC. Perhaps my failure to do so, can have something to do with the 
>> missing email alert?
>>
>> 
>>   SCEP
>>   syslog
>> 
>>
>>
>> Finally, output from ossec-logtest:
>>
>> **Phase 1: Completed pre-decoding.
>>full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: 
>> client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 
>> 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM 
>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
>>  
>> Quarantine Succeeded'
>>hostname: 'ossec-srv'
>>program_name: 'SCEP'
>>log: 'Malware alert: client2.domain.com 
>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection 
>> time(UTC time): 8/5/2013 10:42:41 AM 
>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
>>  
>> Quarantine Succeeded'
>>
>> **Phase 2: Completed decoding.
>>decoder: 'MSSCEP'
>>
>> **Phase 3: Completed filtering (rules).
>>Rule id: '100130'
>>Level: '12'
>>Description: 'SCEP malware alert'
>> **Alert to be generated.
>>
>> Best regards,
>> Fredrik 
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Alert fires, but no email generated?

2016-02-23 Thread Santiago Bassett

Did you say other alerts are triggering emails correctly? Everything looks
good to me, but here are some questions that might help troubleshoot the
problem.

Do you see the alert in alerts.log file?
Have you configured other global email settings?
What is your email_alerts_level?


On Tue, Feb 23, 2016 at 12:11 PM, Fredrik  wrote:

> Hi All,
>
> Another question for all you Ossec gurus. I have another rule set up to
> handle messages in a somewhat strange format (below). I would like this to
> ultimately trigger an email alert - which is working for other rules.
>
> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com
> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection time
> (UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\LocalLow\Sun
> \Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded
>
> I see that an alert is written to alerts.log, and ossec-logtest finished
> processing with **Alert to be generated. However, no email is sent?
>
> 
>
>MSSCEP
>alert_by_email
>SCEP malware alert
>   
> 
>
> As I wasn't sure how to best extract fields from the message above, the
> decoder simply matches on , please feel free to suggest
> variants to decode the message and make use of the fields available in
> OSSEC. Perhaps my failure to do so, can have something to do with the
> missing email alert?
>
> 
>   SCEP
>   syslog
> 
>
>
> Finally, output from ossec-logtest:
>
> **Phase 1: Completed pre-decoding.
>full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert:
> client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 1
> Last detection time(UTC time): 8/5/2013 10:42:41 AM
> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
> Quarantine Succeeded'
>hostname: 'ossec-srv'
>program_name: 'SCEP'
>log: 'Malware alert: client2.domain.com
> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection
> time(UTC time): 8/5/2013 10:42:41 AM
> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
> Quarantine Succeeded'
>
> **Phase 2: Completed decoding.
>decoder: 'MSSCEP'
>
> **Phase 3: Completed filtering (rules).
>Rule id: '100130'
>Level: '12'
>Description: 'SCEP malware alert'
> **Alert to be generated.
>
> Best regards,
> Fredrik
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Alert fires, but no email generated?

2016-02-23 Thread Fredrik

Hi All,

Another question for all you Ossec gurus. I have another rule set up to 
handle messages in a somewhat strange format (below). I would like this to 
ultimately trigger an email alert - which is working for other rules. 

Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com 
Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection time(UTC 
time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\LocalLow\Sun\Java\
Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded

I see that an alert is written to alerts.log, and ossec-logtest finished 
processing with **Alert to be generated. However, no email is sent? 


   
   MSSCEP
   alert_by_email
   SCEP malware alert
  


As I wasn't sure how to best extract fields from the message above, the 
decoder simply matches on , please feel free to suggest 
variants to decode the message and make use of the fields available in 
OSSEC. Perhaps my failure to do so, can have something to do with the 
missing email alert?


  SCEP
  syslog



Finally, output from ossec-logtest:

**Phase 1: Completed pre-decoding.
   full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: 
client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 1 
Last detection time(UTC time): 8/5/2013 10:42:41 AM 
file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
 
Quarantine Succeeded'
   hostname: 'ossec-srv'
   program_name: 'SCEP'
   log: 'Malware alert: client2.domain.com 
Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection 
time(UTC time): 8/5/2013 10:42:41 AM 
file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
 
Quarantine Succeeded'

**Phase 2: Completed decoding.
   decoder: 'MSSCEP'

**Phase 3: Completed filtering (rules).
   Rule id: '100130'
   Level: '12'
   Description: 'SCEP malware alert'
**Alert to be generated.

Best regards,
Fredrik 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Alert fires, but no email generated?

Re: [ossec-list] Alert fires, but no email generated?

Re: [ossec-list] Alert fires, but no email generated?

Re: [ossec-list] Alert fires, but no email generated?

Re: [ossec-list] Alert fires, but no email generated?

Re: [ossec-list] Alert fires, but no email generated?

Re: [ossec-list] Alert fires, but no email generated?

Re: [ossec-list] Alert fires, but no email generated?

[ossec-list] Alert fires, but no email generated?

9 matches

Site Navigation

Mail list logo

Footer information