Question about OSSEC alerts
-
- Forum Regular
- Posts: 196
- Joined: Tue May 10, 2005 1:24 pm
Question about OSSEC alerts
Since implementing clapf for clamav scans of email using postfix, the email notification I get from OSSEC is filled with items that include the word attack. So, if a email comes in with heart attack (for example) in the subject, that is in the email notifications I get since clapf lists the subject in the log file. I found the file causing this to happen (/var/ossec/etc/rules.d/40_asl_syslog_rules.xml), but am not sure what to do to fix it. Is there a way to ignore lines with heart attack, etc. in the line and keep the ones with just attack in them? Also, I read in another post that if I change this file, it will probably get overwritten. What would be the suggested way to fix this?
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Question about OSSEC alerts
Send us the false positive report from that. I'd love to see it
-
- Forum Regular
- Posts: 196
- Joined: Tue May 10, 2005 1:24 pm
Re: Question about OSSEC alerts
OK, I just sent one.