Solved OSSEC HIDS rules

fred974

fred974

Hello,

I keep getting the following email notification from the ossec server.
Code: 
OSSEC HIDS Notification.
2015 Jan 12 06:00:01

Received From: trinity->/var/log/maillog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jan 12 06:00:00 trinity smtpd[1161]: smtp-out: Error on session 07918aa71d08e40c: Connection failed: No route to host



--END OF NOTIFICATION

This message occur because I relay my email to Gmail. By default, the system try to connect to the Google mail server via ipv6. As I don't have Ipv6 setup on my machine, it then to go connect via ipv4 and the message get send successfully...

In order to stop receiving this email notification, I tough of adding the following rule in my rules/local_rules.xml
Code: 
<rule id="ID" level="0">
  <if_sid>1002</if_sid>
  <program_name>^smtpd</program_name>
  <match>Connection failed: No route to host</match>
  <description>Ignore no route to host errors</description>
</rule>

Now, my question is:

Will my rule stop me from receiving the SMTP email if things go wrong on my ipv4?
How can I set this rule so it only look if the problem derive from my ipv6?

Thank you
Fred
 
fred974 said:
Will my rule stop me from receiving the smtp email if things go wrong on my ipv4?
Click to expand...

No, your rule will permanently disable all "No route to host" errors, including IPv4.

fred974 said:
How can I set this rule so it only look if the problem derive from my ipv6?
Click to expand...

Either disable IPv6 completely, or write another rule more specific to your problem. The log files should contain more information regarding the error besides the "No route to host".
 
Hi gkontos

I have tried to disable IPv6 but without success...
/etc/rc.conf
Code: 
ip6addrctl_enable="NO"
This is the message cat /var/log/maillog | grep smtpd
Code: 
Jan 13 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Connecting to tls://IPv6:2a00:1450:400c:c0a::6d:587 (2a00:1450:400c:c0a::6d) on session 07918ac90ad1a38e...
Jan 13 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Error on session 07918ac90ad1a38e: Connection failed: No route to host
Jan 13 06:00:00 FreeBSDHost smtpd[1161]: smtp-out: Disabling route [] <-> IPv6:2a00:1450:400c:c0a::6d (2a00:1450:400c:c0a::6d) for 800s
Jan 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Connecting to tls://173.194.66.108:587 (we-in-f108.1e100.net) on session 07918acafef9207e...
Jan 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Connected on session 07918acafef9207e
Jan 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Started TLS on session 07918acafef9207e: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128
Jan 13 06:00:02 FreeBSDHost smtpd[1161]: smtp-out: Server certificate verification succeeded on session 07918acafef9207e
Jan 13 06:00:04 FreeBSDHost smtpd[1163]: smtp-in: New session eb3da34a86b2b728 from host localhost [127.0.0.1]
Jan 13 06:00:04 FreeBSDHost smtpd[1163]: smtp-in: Accepted message 584a94dc on session eb3da34a86b2b728: from=<root@FreeBSDHost.mycompagny.ltd>, to=<mycompagnyuk@gmail.com>, size=500, ndest=1, proto=SMTP
Jan 13 06:00:04 FreeBSDHost smtpd[1163]: smtp-in: Closing session eb3da34a86b2b728
Jan 13 06:00:04 FreeBSDHost smtpd[1161]: relay: Ok for 1f0e0496ba195f5b: session=07918acafef9207e, from=<root@FreeBSDHost.mycompagny.ltd>, to=<mycompagnyuk@gmail.com>, rcpt=<root@FreeBSDHost.mycompagny.ltd>, source=192.168.1.175, relay=173.194.66.108 (we-in-f108.1e100.net), delay=4s, stat=250 2.0.0 OK 1421128804 ej10sm12863329wib.1 - gsmtp
Jan 13 06:00:07 FreeBSDHost smtpd[1161]: relay: Ok for 584a94dc54b22613: session=07918acafef9207e, from=<root@FreeBSDHost.mycompagny.ltd>, to=<mycompagnyuk@gmail.com>, rcpt=<->, source=192.168.1.175, relay=173.194.66.108 (we-in-f108.1e100.net), delay=3s, stat=250 2.0.0 OK 1421128807 ej10sm12863329wib.1 - gsmtp
Jan 13 06:00:17 FreeBSDHost smtpd[1161]: smtp-out: Closing session 07918acafef9207e: 2 messages sent.
Jan 13 06:13:20 FreeBSDHost smtpd[1161]: smtp-out: Enabling route [] <-> IPv6:2a00:1450:400c:c0a::6d (2a00:1450:400c:c0a::6d)

I am very new to ossec so I'm not too sure how I could write another rule more specific to my problem.

Any chance you could help please?

Thank you
 
You must log in or register to reply here.
Back
Top