Email alert

Support/Development for OSSEC
tonny
Forum User
Forum User
Posts: 11
Joined: Fri Apr 09, 2021 8:56 am
Location: Sweden

Email alert

Unread post by tonny »

Hi,
I configured ossec and it work almost as expected.
The config contains

Code: Select all

  <alerts>
    <log_alert_level>1</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts>
but my email gets flooded with level 2 alerts. Should this config not just send email on alert level 7...15 ??

Kind regards
Tonny
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4152
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Email alert

Unread post by mikeshinn »

Could you tell me what version of OSSEC you are using?
tonny
Forum User
Forum User
Posts: 11
Joined: Fri Apr 09, 2021 8:56 am
Location: Sweden

Re: Email alert

Unread post by tonny »

Hi,
Sorry, should have noted from the start: OSSEC HIDS v3.7.0
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4152
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Email alert

Unread post by mikeshinn »

That should work for your system. There are some rules that are set to always be delivered regardless of level by default (this can be over ridden in the rule), what was/are the rule IDs youre being sent that are below 7?
tonny
Forum User
Forum User
Posts: 11
Joined: Fri Apr 09, 2021 8:56 am
Location: Sweden

Re: Email alert

Unread post by tonny »

Hi,
The rule is

Code: Select all

Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
So it could make kind of sense to fire an alert anyway so an engineer will look and determine the severity.

Given your reply, I looked up the rule

Code: Select all

  <rule id="1002" level="2">
    <pcre2>$BAD_WORDS</pcre2>
    <options>alert_by_email</options>
    <description>Unknown problem somewhere in the system.</description>
  </rule>
and so I guess

Code: Select all

<options>alert_by_email</options>
means send an email anyway.

Looked a bit further and BAD_WORDS are:

Code: Select all

core_dumped|failure|error|attack| bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted
and syslog says:

Code: Select all

Aug 23 08:00:21 tech-server nagios: wproc:   early_timeout=0; exited_ok=1; wait_status=31488; error_code=0;
and I obviously need to tweak a bit because "error_code=0;" is still regarded a bad word then.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4152
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Email alert

Unread post by mikeshinn »

Yes, the intent of rule 1002 is to catch anything that doesnt match an existing rule, and by default it will always be sent regardless of your other global settings. The rule indicates that theres something OSSEC doesnt understand (yet) but could be a problem and you should investigate it (and add a rule if needed):

https://wiki.atomicorp.com/wiki/index.php/HIDS_1002

In general you should let that rule continue to alert you, and add rules as needed to either filter out those events you do not want to be alerted on and/or add rules to properly categorize them. For example, in the Atomic OSSEC SAAS platform these events are used to automatically generate new rules.
tonny
Forum User
Forum User
Posts: 11
Joined: Fri Apr 09, 2021 8:56 am
Location: Sweden

Re: Email alert

Unread post by tonny »

Thank you, it's much appreciated!
Post Reply