Remember that you need to restart OSSEC after changing the rules.

Also, you can use *ossec-logest* to test your rules.
Regards.

On Thursday, June 29, 2017 at 11:25:17 AM UTC+2, Rahul Tiwari wrote:
>
> I tired this but its not working any other rule or something which i need 
> to add.
> As i m new in OSSEC Please help me out
>
> On Wednesday, June 28, 2017 at 10:40:20 PM UTC+5:30, Jesus Linares wrote:
>>
>> Hi,
>>
>> the *frequency *attribute specifies the number of times (+2) the rule 
>> must have matched before firing. In this case, the rule 5720 will be fired 
>> if the rule 5716 is fired 8 times (6+2).
>>
>> You must use *frequency="1"* to fire the rule after 3 attempts. Also, it 
>> is a good idea to add the *timeframe *attribute.
>>
>> I hope it helps.
>> Regards.
>>
>> On Wednesday, June 28, 2017 at 10:09:56 AM UTC+2, Rahul Tiwari wrote:
>>>
>>> I need to block the user ip after 3 times login failed attempt in ossec 
>>> I tried below in sshd_rules file
>>>
>>> <rule id="5720" level="10" frequency="6">
>>>     <if_matched_sid>5716</if_matched_sid>
>>>     <same_source_ip />
>>>     <description>Multiple SSHD authentication failures.</description>
>>>     <group>authentication_failures,</group>
>>>   </rule>
>>>
>>> But its blocking the user ip after 10 attempt please help me out
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to