ossec Issue

glennbtn · 07-29-2010, 08:08 AM

Hi All

I have installed an centos machine running zimbra with apf firewall. I only have a few ports open to the outside such as 25,443,110 etc. I have installed ossec to keep an eye on this but every no then I get a message which gets emailed to my phone about 12 times. I don't mind the odd 1 but I want to stop this.

I enclose the ossec email below and the ip address does change so not the same 1. I just need to know how I can sort the issue.

Thanks

OSSEC HIDS Notification.
2010 Jul 29 13:02:57

Received From: mail->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jul 29 13:02:54 mail named[2374]: connection refused resolving '1004web.com/NS/IN': 114.108.131.211#53

--END OF NOTIFICATION

unSpawn · 07-29-2010, 08:37 AM

Edit your BIND config and silence some errors ("category lame-servers") and override OSSEC with a local_rules.xml ("if_sid 1002 and program_name named and read_data contains connection refused resolving then no_email_alert")?

glennbtn · 07-29-2010, 09:06 AM

That's great thanks

How do I need to add this to the local_rules.xml as still a novice at this as the other examples don't seem to be similar

Thanks