Question about OSSEC alerts

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
Post Reply
Troy McClure
Forum Regular
Forum Regular
Posts: 196
Joined: Tue May 10, 2005 1:24 pm

Question about OSSEC alerts

Unread post by Troy McClure »

Since implementing clapf for clamav scans of email using postfix, the email notification I get from OSSEC is filled with items that include the word attack. So, if a email comes in with heart attack (for example) in the subject, that is in the email notifications I get since clapf lists the subject in the log file. I found the file causing this to happen (/var/ossec/etc/rules.d/40_asl_syslog_rules.xml), but am not sure what to do to fix it. Is there a way to ignore lines with heart attack, etc. in the line and keep the ones with just attack in them? Also, I read in another post that if I change this file, it will probably get overwritten. What would be the suggested way to fix this?
Top
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:
Contact scott

Re: Question about OSSEC alerts

Unread post by scott »

Send us the false positive report from that. I'd love to see it
Top
Troy McClure
Forum Regular
Forum Regular
Posts: 196
Joined: Tue May 10, 2005 1:24 pm

Re: Question about OSSEC alerts

Unread post by Troy McClure »

OK, I just sent one.
Top
Post Reply

Return to “Atomic Protector (formerly ASL)”