Re: [ossec-list] Alert fires, but no email generated?
Hi All! Did some more testing earlier this afternoon and actually got the email to be sent. I removed the alert_by_email option and just let the rule fire by its level=12 classification. Restarted the ossec service, which I had done in the past multiple times. I will circle back to this one, but will move on and work on all the other decoder/rules that I'm hoping to be able to piece together. Thanks again for your help on this! Best regards, Fredrik On Wednesday, February 24, 2016 at 7:28:05 AM UTC+1, Fredrik wrote: > > Thanks Santiago, please find more details below. > > Best regards, > Fredrik > > Yes, I see the alert written to alerts.log (pulled the alert below out of > the archive from yesterday) and email alerts are working for other rules. I > also restarted ossec but to no avail. Strange! > > ossec-alerts-23.log.gz: > Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr > SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar > Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 > AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\ > 748789-14f29c54 Quarantine Succeeded > > ossec.conf: > >1 >7 > > > > > > On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett > wrote: >> >> Did you say other alerts are triggering emails correctly? Everything >> looks good to me, but here are some questions that might help troubleshoot >> the problem. >> >> Do you see the alert in alerts.log file? >> Have you configured other global email settings? >> What is your email_alerts_level? >> >> >> On Tue, Feb 23, 2016 at 12:11 PM, Fredrikwrote: >> >>> Hi All, >>> >>> Another question for all you Ossec gurus. I have another rule set up to >>> handle messages in a somewhat strange format (below). I would like this to >>> ultimately trigger an email alert - which is working for other rules. >>> >>> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com >>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection >>> time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\ >>> LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine >>> Succeeded >>> >>> I see that an alert is written to alerts.log, and ossec-logtest finished >>> processing with **Alert to be generated. However, no email is sent? >>> >>> >>> >>>MSSCEP >>>alert_by_email >>>SCEP malware alert >>> >>> >>> >>> As I wasn't sure how to best extract fields from the message above, the >>> decoder simply matches on , please feel free to suggest >>> variants to decode the message and make use of the fields available in >>> OSSEC. Perhaps my failure to do so, can have something to do with the >>> missing email alert? >>> >>> >>> SCEP >>> syslog >>> >>> >>> >>> Finally, output from ossec-logtest: >>> >>> **Phase 1: Completed pre-decoding. >>>full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware >>> alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of >>> infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM >>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >>> >>> Quarantine Succeeded' >>>hostname: 'ossec-srv' >>>program_name: 'SCEP' >>>log: 'Malware alert: client2.domain.com >>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection >>> time(UTC time): 8/5/2013 10:42:41 AM >>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >>> >>> Quarantine Succeeded' >>> >>> **Phase 2: Completed decoding. >>>decoder: 'MSSCEP' >>> >>> **Phase 3: Completed filtering (rules). >>>Rule id: '100130' >>>Level: '12' >>>Description: 'SCEP malware alert' >>> **Alert to be generated. >>> >>> Best regards, >>> Fredrik >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Alert fires, but no email generated?
Hi Eero! Thanks again. I will read up on mail configurations for OSSEC to make sure I have incorporated the requirements in my setup - any pointer to a good resource? Will start with the online docs and books I have on topic :) You don't have any other tips on what could be worth investigating, given that email_alerts seems is working for other rules? Best regards, Fredrik On Wednesday, February 24, 2016 at 8:48:41 AM UTC+1, Eero Volotinen wrote: > > You should also point your ossec mail configuration to local smtp > instance. > > -- > Eero > > 2016-02-24 9:34 GMT+02:00 Fredrik: > >> Thanks Eero! >> >> Yes, this works in my setup :) Tried it to make sure. Sendmail is >> installed on this particular box, so changed mail into sendmail and fired >> away :) >> >> Best regards, >> Fredrik >> >> On Wednesday, February 24, 2016 at 8:12:41 AM UTC+1, Eero Volotinen wrote: >>> >>> is this working on your ossec server: >>> >>> echo foo | mail youremail@yourdomain -s 'test' >>> >>> could you give example of your mail configuration? >>> >>> Eero >>> >>> 2016-02-24 9:00 GMT+02:00 Fredrik : >>> Thanks Eero! Anything specific to look for that could conflict with this particular alert - mail alerts seems to be working fine for other rules? I checked the mail.info for anything obvious, but couldn't see anything suspicious at a first glance... Best regards, Fredrik On Wednesday, February 24, 2016 at 7:54:43 AM UTC+1, Eero Volotinen wrote: > > Please check your mail server configuration? > > 2016-02-24 8:28 GMT+02:00 Fredrik : > >> Thanks Santiago, please find more details below. >> >> Best regards, >> Fredrik >> >> Yes, I see the alert written to alerts.log (pulled the alert below >> out of the archive from yesterday) and email alerts are working for >> other >> rules. I also restarted ossec but to no avail. Strange! >> >> ossec-alerts-23.log.gz: >> Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec >> -svr SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE- >> 2012-1723!jar Number of infections: 1 Last detection time(UTC time): >> 8/5/2013 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\ >> Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded >> >> ossec.conf: >> >>1 >>7 >> >> >> >> >> >> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett >> wrote: >>> >>> Did you say other alerts are triggering emails correctly? Everything >>> looks good to me, but here are some questions that might help >>> troubleshoot >>> the problem. >>> >>> Do you see the alert in alerts.log file? >>> Have you configured other global email settings? >>> What is your email_alerts_level? >>> >>> >>> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik >>> wrote: >>> Hi All, Another question for all you Ossec gurus. I have another rule set up to handle messages in a somewhat strange format (below). I would like this to ultimately trigger an email alert - which is working for other rules. Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2. domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\ user1\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789- 14f29c54 Quarantine Succeeded I see that an alert is written to alerts.log, and ossec-logtest finished processing with **Alert to be generated. However, no email is sent? MSSCEP alert_by_email SCEP malware alert As I wasn't sure how to best extract fields from the message above, the decoder simply matches on , please feel free to suggest variants to decode the message and make use of the fields available in OSSEC. Perhaps my failure to do so, can have something to do with the missing email alert? SCEP syslog Finally, output from ossec-logtest: **Phase 1: Completed pre-decoding. full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded' hostname: 'ossec-srv'
Re: [ossec-list] Alert fires, but no email generated?
Thanks Eero! Yes, this works in my setup :) Tried it to make sure. Sendmail is installed on this particular box, so changed mail into sendmail and fired away :) Best regards, Fredrik On Wednesday, February 24, 2016 at 8:12:41 AM UTC+1, Eero Volotinen wrote: > > is this working on your ossec server: > > echo foo | mail youremail@yourdomain -s 'test' > > could you give example of your mail configuration? > > Eero > > 2016-02-24 9:00 GMT+02:00 Fredrik: > >> Thanks Eero! >> >> Anything specific to look for that could conflict with this particular >> alert - mail alerts seems to be working fine for other rules? >> >> I checked the mail.info for anything obvious, but couldn't see anything >> suspicious at a first glance... >> >> Best regards, >> Fredrik >> >> On Wednesday, February 24, 2016 at 7:54:43 AM UTC+1, Eero Volotinen wrote: >>> >>> Please check your mail server configuration? >>> >>> 2016-02-24 8:28 GMT+02:00 Fredrik : >>> Thanks Santiago, please find more details below. Best regards, Fredrik Yes, I see the alert written to alerts.log (pulled the alert below out of the archive from yesterday) and email alerts are working for other rules. I also restarted ossec but to no avail. Strange! ossec-alerts-23.log.gz: Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012- 1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/ 2013 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\ Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded ossec.conf: 1 7 On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett wrote: > > Did you say other alerts are triggering emails correctly? Everything > looks good to me, but here are some questions that might help > troubleshoot > the problem. > > Do you see the alert in alerts.log file? > Have you configured other global email settings? > What is your email_alerts_level? > > > On Tue, Feb 23, 2016 at 12:11 PM, Fredrik wrote: > >> Hi All, >> >> Another question for all you Ossec gurus. I have another rule set up >> to handle messages in a somewhat strange format (below). I would like >> this >> to ultimately trigger an email alert - which is working for other rules. >> >> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com >> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last >> detection time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\ >> AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >> Quarantine Succeeded >> >> I see that an alert is written to alerts.log, and ossec-logtest >> finished processing with **Alert to be generated. However, no email is >> sent? >> >> >> >>MSSCEP >>alert_by_email >>SCEP malware alert >> >> >> >> As I wasn't sure how to best extract fields from the message above, >> the decoder simply matches on , please feel free to >> suggest >> variants to decode the message and make use of the fields available in >> OSSEC. Perhaps my failure to do so, can have something to do with the >> missing email alert? >> >> >> SCEP >> syslog >> >> >> >> Finally, output from ossec-logtest: >> >> **Phase 1: Completed pre-decoding. >>full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware >> alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of >> infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM >> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >> >> Quarantine Succeeded' >>hostname: 'ossec-srv' >>program_name: 'SCEP' >>log: 'Malware alert: client2.domain.com >> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection >> time(UTC time): 8/5/2013 10:42:41 AM >> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >> >> Quarantine Succeeded' >> >> **Phase 2: Completed decoding. >>decoder: 'MSSCEP' >> >> **Phase 3: Completed filtering (rules). >>Rule id: '100130' >>Level: '12' >>Description: 'SCEP malware alert' >> **Alert to be generated. >> >> Best regards, >> Fredrik >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to
Re: [ossec-list] Alert fires, but no email generated?
is this working on your ossec server: echo foo | mail youremail@yourdomain -s 'test' could you give example of your mail configuration? Eero 2016-02-24 9:00 GMT+02:00 Fredrik: > Thanks Eero! > > Anything specific to look for that could conflict with this particular > alert - mail alerts seems to be working fine for other rules? > > I checked the mail.info for anything obvious, but couldn't see anything > suspicious at a first glance... > > Best regards, > Fredrik > > On Wednesday, February 24, 2016 at 7:54:43 AM UTC+1, Eero Volotinen wrote: >> >> Please check your mail server configuration? >> >> 2016-02-24 8:28 GMT+02:00 Fredrik : >> >>> Thanks Santiago, please find more details below. >>> >>> Best regards, >>> Fredrik >>> >>> Yes, I see the alert written to alerts.log (pulled the alert below out >>> of the archive from yesterday) and email alerts are working for other >>> rules. I also restarted ossec but to no avail. Strange! >>> >>> ossec-alerts-23.log.gz: >>> Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr >>> SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012- >>> 1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/2013 >>> 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\ >>> cache\6.0\9\748789-14f29c54 Quarantine Succeeded >>> >>> ossec.conf: >>> >>>1 >>>7 >>> >>> >>> >>> >>> >>> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett >>> wrote: Did you say other alerts are triggering emails correctly? Everything looks good to me, but here are some questions that might help troubleshoot the problem. Do you see the alert in alerts.log file? Have you configured other global email settings? What is your email_alerts_level? On Tue, Feb 23, 2016 at 12:11 PM, Fredrik wrote: > Hi All, > > Another question for all you Ossec gurus. I have another rule set up > to handle messages in a somewhat strange format (below). I would like this > to ultimately trigger an email alert - which is working for other rules. > > Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com > Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection > time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\ > LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine > Succeeded > > I see that an alert is written to alerts.log, and ossec-logtest > finished processing with **Alert to be generated. However, no email is > sent? > > > >MSSCEP >alert_by_email >SCEP malware alert > > > > As I wasn't sure how to best extract fields from the message above, > the decoder simply matches on , please feel free to suggest > variants to decode the message and make use of the fields available in > OSSEC. Perhaps my failure to do so, can have something to do with the > missing email alert? > > > SCEP > syslog > > > > Finally, output from ossec-logtest: > > **Phase 1: Completed pre-decoding. >full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware > alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of > infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM > file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 > Quarantine Succeeded' >hostname: 'ossec-srv' >program_name: 'SCEP' >log: 'Malware alert: client2.domain.com > Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection > time(UTC time): 8/5/2013 10:42:41 AM > file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 > Quarantine Succeeded' > > **Phase 2: Completed decoding. >decoder: 'MSSCEP' > > **Phase 3: Completed filtering (rules). >Rule id: '100130' >Level: '12' >Description: 'SCEP malware alert' > **Alert to be generated. > > Best regards, > Fredrik > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to
Re: [ossec-list] Alert fires, but no email generated?
Thanks Eero! Anything specific to look for that could conflict with this particular alert - mail alerts seems to be working fine for other rules? I checked the mail.info for anything obvious, but couldn't see anything suspicious at a first glance... Best regards, Fredrik On Wednesday, February 24, 2016 at 7:54:43 AM UTC+1, Eero Volotinen wrote: > > Please check your mail server configuration? > > 2016-02-24 8:28 GMT+02:00 Fredrik: > >> Thanks Santiago, please find more details below. >> >> Best regards, >> Fredrik >> >> Yes, I see the alert written to alerts.log (pulled the alert below out of >> the archive from yesterday) and email alerts are working for other rules. I >> also restarted ossec but to no avail. Strange! >> >> ossec-alerts-23.log.gz: >> Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr >> SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723 >> !jar Number of infections: 1 Last detection time(UTC time): 8/5/2013 10: >> 42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\ >> 6.0\9\748789-14f29c54 Quarantine Succeeded >> >> ossec.conf: >> >>1 >>7 >> >> >> >> >> >> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett >> wrote: >>> >>> Did you say other alerts are triggering emails correctly? Everything >>> looks good to me, but here are some questions that might help troubleshoot >>> the problem. >>> >>> Do you see the alert in alerts.log file? >>> Have you configured other global email settings? >>> What is your email_alerts_level? >>> >>> >>> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik wrote: >>> Hi All, Another question for all you Ossec gurus. I have another rule set up to handle messages in a somewhat strange format (below). I would like this to ultimately trigger an email alert - which is working for other rules. Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\ LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded I see that an alert is written to alerts.log, and ossec-logtest finished processing with **Alert to be generated. However, no email is sent? MSSCEP alert_by_email SCEP malware alert As I wasn't sure how to best extract fields from the message above, the decoder simply matches on , please feel free to suggest variants to decode the message and make use of the fields available in OSSEC. Perhaps my failure to do so, can have something to do with the missing email alert? SCEP syslog Finally, output from ossec-logtest: **Phase 1: Completed pre-decoding. full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded' hostname: 'ossec-srv' program_name: 'SCEP' log: 'Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded' **Phase 2: Completed decoding. decoder: 'MSSCEP' **Phase 3: Completed filtering (rules). Rule id: '100130' Level: '12' Description: 'SCEP malware alert' **Alert to be generated. Best regards, Fredrik -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Alert fires, but no email generated?
Please check your mail server configuration? 2016-02-24 8:28 GMT+02:00 Fredrik: > Thanks Santiago, please find more details below. > > Best regards, > Fredrik > > Yes, I see the alert written to alerts.log (pulled the alert below out of > the archive from yesterday) and email alerts are working for other rules. I > also restarted ossec but to no avail. Strange! > > ossec-alerts-23.log.gz: > Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr > SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar > Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 > AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\ > 748789-14f29c54 Quarantine Succeeded > > ossec.conf: > >1 >7 > > > > > > On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett > wrote: >> >> Did you say other alerts are triggering emails correctly? Everything >> looks good to me, but here are some questions that might help troubleshoot >> the problem. >> >> Do you see the alert in alerts.log file? >> Have you configured other global email settings? >> What is your email_alerts_level? >> >> >> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik wrote: >> >>> Hi All, >>> >>> Another question for all you Ossec gurus. I have another rule set up to >>> handle messages in a somewhat strange format (below). I would like this to >>> ultimately trigger an email alert - which is working for other rules. >>> >>> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com >>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection >>> time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\ >>> LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine >>> Succeeded >>> >>> I see that an alert is written to alerts.log, and ossec-logtest finished >>> processing with **Alert to be generated. However, no email is sent? >>> >>> >>> >>>MSSCEP >>>alert_by_email >>>SCEP malware alert >>> >>> >>> >>> As I wasn't sure how to best extract fields from the message above, the >>> decoder simply matches on , please feel free to suggest >>> variants to decode the message and make use of the fields available in >>> OSSEC. Perhaps my failure to do so, can have something to do with the >>> missing email alert? >>> >>> >>> SCEP >>> syslog >>> >>> >>> >>> Finally, output from ossec-logtest: >>> >>> **Phase 1: Completed pre-decoding. >>>full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware >>> alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of >>> infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM >>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >>> Quarantine Succeeded' >>>hostname: 'ossec-srv' >>>program_name: 'SCEP' >>>log: 'Malware alert: client2.domain.com >>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection >>> time(UTC time): 8/5/2013 10:42:41 AM >>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >>> Quarantine Succeeded' >>> >>> **Phase 2: Completed decoding. >>>decoder: 'MSSCEP' >>> >>> **Phase 3: Completed filtering (rules). >>>Rule id: '100130' >>>Level: '12' >>>Description: 'SCEP malware alert' >>> **Alert to be generated. >>> >>> Best regards, >>> Fredrik >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Alert fires, but no email generated?
Thanks Santiago, please find more details below. Best regards, Fredrik Yes, I see the alert written to alerts.log (pulled the alert below out of the archive from yesterday) and email alerts are working for other rules. I also restarted ossec but to no avail. Strange! ossec-alerts-23.log.gz: Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789- 14f29c54 Quarantine Succeeded ossec.conf: 1 7 On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett wrote: > > Did you say other alerts are triggering emails correctly? Everything looks > good to me, but here are some questions that might help troubleshoot the > problem. > > Do you see the alert in alerts.log file? > Have you configured other global email settings? > What is your email_alerts_level? > > > On Tue, Feb 23, 2016 at 12:11 PM, Fredrik> wrote: > >> Hi All, >> >> Another question for all you Ossec gurus. I have another rule set up to >> handle messages in a somewhat strange format (below). I would like this to >> ultimately trigger an email alert - which is working for other rules. >> >> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com >> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection >> time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\ >> LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine >> Succeeded >> >> I see that an alert is written to alerts.log, and ossec-logtest finished >> processing with **Alert to be generated. However, no email is sent? >> >> >> >>MSSCEP >>alert_by_email >>SCEP malware alert >> >> >> >> As I wasn't sure how to best extract fields from the message above, the >> decoder simply matches on , please feel free to suggest >> variants to decode the message and make use of the fields available in >> OSSEC. Perhaps my failure to do so, can have something to do with the >> missing email alert? >> >> >> SCEP >> syslog >> >> >> >> Finally, output from ossec-logtest: >> >> **Phase 1: Completed pre-decoding. >>full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: >> client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: >> 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM >> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >> >> Quarantine Succeeded' >>hostname: 'ossec-srv' >>program_name: 'SCEP' >>log: 'Malware alert: client2.domain.com >> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection >> time(UTC time): 8/5/2013 10:42:41 AM >> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >> >> Quarantine Succeeded' >> >> **Phase 2: Completed decoding. >>decoder: 'MSSCEP' >> >> **Phase 3: Completed filtering (rules). >>Rule id: '100130' >>Level: '12' >>Description: 'SCEP malware alert' >> **Alert to be generated. >> >> Best regards, >> Fredrik >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Alert fires, but no email generated?
Did you say other alerts are triggering emails correctly? Everything looks good to me, but here are some questions that might help troubleshoot the problem. Do you see the alert in alerts.log file? Have you configured other global email settings? What is your email_alerts_level? On Tue, Feb 23, 2016 at 12:11 PM, Fredrikwrote: > Hi All, > > Another question for all you Ossec gurus. I have another rule set up to > handle messages in a somewhat strange format (below). I would like this to > ultimately trigger an email alert - which is working for other rules. > > Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com > Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection time > (UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\LocalLow\Sun > \Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded > > I see that an alert is written to alerts.log, and ossec-logtest finished > processing with **Alert to be generated. However, no email is sent? > > > >MSSCEP >alert_by_email >SCEP malware alert > > > > As I wasn't sure how to best extract fields from the message above, the > decoder simply matches on , please feel free to suggest > variants to decode the message and make use of the fields available in > OSSEC. Perhaps my failure to do so, can have something to do with the > missing email alert? > > > SCEP > syslog > > > > Finally, output from ossec-logtest: > > **Phase 1: Completed pre-decoding. >full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: > client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 1 > Last detection time(UTC time): 8/5/2013 10:42:41 AM > file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 > Quarantine Succeeded' >hostname: 'ossec-srv' >program_name: 'SCEP' >log: 'Malware alert: client2.domain.com > Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection > time(UTC time): 8/5/2013 10:42:41 AM > file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 > Quarantine Succeeded' > > **Phase 2: Completed decoding. >decoder: 'MSSCEP' > > **Phase 3: Completed filtering (rules). >Rule id: '100130' >Level: '12' >Description: 'SCEP malware alert' > **Alert to be generated. > > Best regards, > Fredrik > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Alert fires, but no email generated?
Hi All, Another question for all you Ossec gurus. I have another rule set up to handle messages in a somewhat strange format (below). I would like this to ultimately trigger an email alert - which is working for other rules. Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\LocalLow\Sun\Java\ Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded I see that an alert is written to alerts.log, and ossec-logtest finished processing with **Alert to be generated. However, no email is sent? MSSCEP alert_by_email SCEP malware alert As I wasn't sure how to best extract fields from the message above, the decoder simply matches on , please feel free to suggest variants to decode the message and make use of the fields available in OSSEC. Perhaps my failure to do so, can have something to do with the missing email alert? SCEP syslog Finally, output from ossec-logtest: **Phase 1: Completed pre-decoding. full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded' hostname: 'ossec-srv' program_name: 'SCEP' log: 'Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded' **Phase 2: Completed decoding. decoder: 'MSSCEP' **Phase 3: Completed filtering (rules). Rule id: '100130' Level: '12' Description: 'SCEP malware alert' **Alert to be generated. Best regards, Fredrik -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.