Hi, You need to set the "frequency" attribute in rule 5712 to "1", this attribute set the number of time (+2) that a rule needs to match to fire an alert, by default the 5712 will show an alert when the 5710 appears at least 8 times, changing to "1" will fire at 3th attempt. Please check http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html
I hope it helps. Regards On Wednesday, June 28, 2017 at 11:06:44 PM UTC-4, az...@51ecommerce.com wrote: > > HI, > > I set the email notify level to 3, and try to login into serverA through > ssh, It's work, I receive the email alert. > > Thank you! > > And I've other question, I want block the user ip when the user login > failed more then 3 times with ssh, then block the ip of user, I use 5712, > but it did not work, I've try to login failed more then 10, it still do not > block me. > here is my active-response in ossec.conf > > <active-response> > > <disabled>no</disabled> > > <command>firewall-drop</command> > > <location>local</location> > > <rules_id>5712</rules_id> > > <level>8</level> > > <timeout>120</timeout> > > <repeated_offenders>60,120,180</repeated_offenders> > > </active-response> > > > here is my 5710 and 5712 rule defines > > <rule id="5710" level="5"> > > <if_sid>5700</if_sid> > > <match>illegal user|invalid user</match> > > <description>sshd: Attempt to login using a non-existent > user</description> > > > <group>invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,</group> > > </rule> > > > <rule id="5711" level="0"> > > <if_sid>5700</if_sid> > > <match>authentication failure; logname= uid=0 euid=0 tty=ssh|</match> > > <match>input_userauth_request: invalid user|</match> > > <match>PAM: User not known to the underlying authentication module for > illegal user|</match> > > <match>error retrieving information about user</match> > > <description>sshd: Useless/Duplicated SSHD message without a > user/ip.</description> > > </rule> > > > <rule id="5712" level="10" frequency="6" timeframe="120" ignore="60"> > > <if_matched_sid>5710</if_matched_sid> > > <description>sshd: brute force trying to get access to </description> > > <description>the system.</description> > > <same_source_ip /> > > > <group>authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,</group> > > </rule> > > On Thursday, June 29, 2017 at 2:19:23 AM UTC+8, migue...@wazuh.com wrote: >> >> Hi, >> >> The email notification is triggered when an alert reach or overpass the >> level defined in <email_alert_level> (by default is set to level 7), >> setting this option to level 3 will send you email notifications for >> successful logins attempts. >> >> *<email_alert_level> option reference:* >> http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.alerts.html#element-email_alert_level >> *Rules clasification:* >> http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/rule-levels.html. >> >> I hope this could help you >> >> Best regards. >> >> On Wednesday, June 28, 2017 at 2:03:23 PM UTC-4, az...@51ecommerce.com >> wrote: >>> >>> hello, >>> I've setup the ossec server and agent in my serverS(server) and >>> serverA(agent), but when I login into serverA, I have not receive the email >>> alert, but if I change something in serverA, I can receive the email alert. >>> So, my question is: how to make a email alert when some one login into >>> system, like ssh, or ftp >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
