Make sure you are running 3.0.13 from the stable channel, not from testing and that you ran the full upgrade procedure.

Ugh?

I tried to disable the rule last night, and no it didn't work. Still broke, or at least it is on my install.

How did you upgrade?

And what does your /etc/asl/rules file look like?

The rule manager in 3.0.13 is still not working for us either.

/etc/asl/rules looks like this:



This was set up according to http://www.atomicorp.com/company/blogs/ ... -more.html when ASL 2.2.11 was released.

you're not allowed to ask questions about that file breun.

Did you change that manually, or thru the GUI? If the former, keep in mind thats not supported (and thats an interim system, so dont change or use that file it will be going away!)

That entry was added manually as explained in your blog post: http://www.atomicorp.com/company/blogs/ ... -more.html

I have removed this entry and changed the owner of /etc/asl/rules to tortix (was root), which is probably why previous changes couldn't be persisted.

I made my change via the web GUI, and it is the virus alert rule which I think (off the top of my head) is 52502. I'm just trying to prevent it from emailing me, because at the moment every time a spam email with a virus attached to it comes in for any domain on the server, I get an hourly email to tell me. And as you can imagine, that's a lot of emails.

My row in /etc/asl/rules for this rule is: G,hids,52502,no,8,yes,yes, and I don't get any mails...

I just added in two new rules, 590000 and 590001 that makes qmail-scanner and clapf virus alerts level 0. So out of the box if qmail generates a message like this:

Oct 17 13:36:54 asl-modsec-test clamd[3841]: /var/spool/qscan/tmp/eicar.com: Eicar-Test-Signature FOUND

Or clapf generates a message like this:

Oct 17 13:36:54 asl-modsec-test clamd[3841]: /var/spool/clapf/tmp/eicar.com: Eicar-Test-Signature FOUND

You will never see that in the GUI, or in an email alert. But if clamd catches a virus somewhere else, you will see that alert.

If you want to get the alerts for email, just change the alert level on rule 590000 or 590001 depending on which one you use.

Thanks Mike, I'll run an update and see if that clams things down on the email front.

Thanks biggles, I'll give that a go. I am surprised it isn't working in the web GUI like it should though.

And please let us know if ASL is reporting something you think it shouldnt by default. We're very happy to add rules to suppress those kinds of things by default.

It is a shame osssec can't differentiate between a virus found in an email (common, harmless, dealt with, don't want to know about it) and a virus uploaded via FTP (might be an indication of compromised ftp credentials - need to know about it - level 14 at least!)

Or can it?

Bearing in mind the reply from faris (about ftp uploads). I cannot see why anyone would need to know that e-mail spam/virus has been blocked by default? Having said that, ASL is transparent in operation and passes this through to the GUI for end users to decide/disable, but this is definitely one rule I would never want to trigger e-mail notification.

Yes I agree faris, it is a shame. I'm concerned about turning off email notification on that rule, if it means not being told about FTP virus alerts.

It is very strange though, because in the pre-version 3 of ASL you didn't, or at least I didn't, get notifications on email viruses.