Hi, You have some options to achieve this:
One of them is to increase the rule level. Changing the value at the original rule would work but I'd recommend you to create a new rule (at file *local_rules.xml*), adding attribute 'overwrite="yes" ' and changing the rule level: <rule id="5716" level="6" overwrite="yes"> <if_sid>5700</if_sid> <match>^Failed|^error: PAM: Authentication</match> < description>SSHD authentication failed.</description> <group> authentication_failed,</group> </rule> Another option would be enabling Active response for rule 5716 in particular, using option "rules_id" inside <active_response> group: <active-response> <!-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) >= 6. - The IP is going to be blocked for 600 seconds. --> <command>host-deny</ command> <location>local</location> <level>6</level> <rules_id>5711</ rules_id> <timeout>600</timeout> </active-response> Hope it help. Best regards. On Monday, March 20, 2017 at 11:56:29 AM UTC-7, The Dude wrote: > > I am new to ossec and I am trying to figure out what is the best way to > change a rule. In the ossec.conf it says this > > <!-- Active Response Config --> >> <active-response> >> <!-- This response is going to execute the host-deny >> - command for every event that fires a rule with >> - level (severity) >= 6. >> - The IP is going to be blocked for 600 seconds. >> --> >> <command>host-deny</command> >> <location>local</location> >> <level>6</level> >> <timeout>600</timeout> >> </active-response> > > > > > I am assuming the level it is referring to is the level set in the > rule.xml So the sshd_rules.xml has this line. > >> >> <rule id="5716" level="5"> >> <if_sid>5700</if_sid> >> <match>^Failed|^error: PAM: Authentication</match> >> <description>SSHD authentication failed.</description> >> <group>authentication_failed,</group> > > </rule> > > > > When testing failed ssh logins I see the alert in the alert.log for the > rule above. How should I go about changing the level to 6 so it will get > blocked? I tried editing the sshd_rules.xml but get the read only warning. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.