Question about OSSEC alerts
Posted: Thu Apr 16, 2015 12:53 pm
Since implementing clapf for clamav scans of email using postfix, the email notification I get from OSSEC is filled with items that include the word attack. So, if a email comes in with heart attack (for example) in the subject, that is in the email notifications I get since clapf lists the subject in the log file. I found the file causing this to happen (/var/ossec/etc/rules.d/40_asl_syslog_rules.xml), but am not sure what to do to fix it. Is there a way to ignore lines with heart attack, etc. in the line and keep the ones with just attack in them? Also, I read in another post that if I change this file, it will probably get overwritten. What would be the suggested way to fix this?