LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices



Reply
 
Search this Thread
Old 07-29-2010, 09:08 AM   #1
glennbtn
Member
 
Registered: Dec 2009
Posts: 89

Rep: Reputation: 18
ossec Issue


Hi All

I have installed an centos machine running zimbra with apf firewall. I only have a few ports open to the outside such as 25,443,110 etc. I have installed ossec to keep an eye on this but every no then I get a message which gets emailed to my phone about 12 times. I don't mind the odd 1 but I want to stop this.

I enclose the ossec email below and the ip address does change so not the same 1. I just need to know how I can sort the issue.

Thanks

OSSEC HIDS Notification.
2010 Jul 29 13:02:57

Received From: mail->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jul 29 13:02:54 mail named[2374]: connection refused resolving '1004web.com/NS/IN': 114.108.131.211#53



--END OF NOTIFICATION
 
Old 07-29-2010, 09:37 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,693
Blog Entries: 54

Rep: Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961
Edit your BIND config and silence some errors ("category lame-servers") and override OSSEC with a local_rules.xml ("if_sid 1002 and program_name named and read_data contains connection refused resolving then no_email_alert")?
 
Old 07-29-2010, 10:06 AM   #3
glennbtn
Member
 
Registered: Dec 2009
Posts: 89

Original Poster
Rep: Reputation: 18
That's great thanks

How do I need to add this to the local_rules.xml as still a novice at this as the other examples don't seem to be similar

Thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OSSEC in agent / server mode PlatinumX Linux - Security 4 05-06-2010 11:12 AM
Snort or OSSEC ? ( IDS ) mike2010 Linux - Software 4 01-12-2010 02:31 PM
OSSEC WUI not loading all the way, seems to be missing CSS and JS a2brute Linux - Software 0 08-13-2009 03:13 PM
what can or can't OSSEC do compare to samhain? kissfreeman Linux - Newbie 3 06-19-2008 08:56 AM
OSSEC report - is this OKAy? Old_Fogie Linux - Security 7 10-23-2006 07:03 AM


All times are GMT -5. The time now is 09:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration