Hi,

You have some options to achieve this:

One of them is to increase the rule level. Changing the value at the 
original rule would work but I'd recommend you to create a new rule (at 
file *local_rules.xml*), adding attribute 'overwrite="yes" ' and changing 
the rule level:

<rule id="5716" level="6" overwrite="yes">
<if_sid>5700</if_sid> <match>^Failed|^error: PAM: Authentication</match> <
description>SSHD authentication failed.</description> <group>
authentication_failed,</group> </rule>


Another option would be enabling Active response for rule 5716 in 
particular, using option "rules_id" inside <active_response> group:

<active-response> <!-- This response is going to execute the host-deny - 
command for every event that fires a rule with - level (severity) >= 6. - 
The IP is going to be blocked for 600 seconds. --> <command>host-deny</
command> <location>local</location> <level>6</level> <rules_id>5711</
rules_id> <timeout>600</timeout> </active-response>


Hope it help.
Best regards.




On Monday, March 20, 2017 at 11:56:29 AM UTC-7, The Dude wrote:
>
> I am new to ossec and I am trying to figure out what is the best way to 
> change a rule.  In the ossec.conf it says this
>
> <!-- Active Response Config -->
>>   <active-response>
>>     <!-- This response is going to execute the host-deny
>>        - command for every event that fires a rule with
>>        - level (severity) >= 6.
>>        - The IP is going to be blocked for  600 seconds.
>>       -->
>>     <command>host-deny</command>
>>     <location>local</location>
>>     <level>6</level>
>>     <timeout>600</timeout>
>>   </active-response>
>
>
>
>
> I am assuming the level it is referring to is the level set in the 
> rule.xml So the sshd_rules.xml has this line.
>
>>
>> <rule id="5716" level="5">
>>     <if_sid>5700</if_sid>
>>     <match>^Failed|^error: PAM: Authentication</match>
>>     <description>SSHD authentication failed.</description>
>>     <group>authentication_failed,</group>
>
>   </rule>
>
>  
>
> When testing failed ssh logins I see the alert in the alert.log for the 
> rule above. How should I go about changing the level to 6 so it will get 
> blocked? I tried editing the sshd_rules.xml but get the read only warning. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to