Hi everyone, here is my ossec.conf on the server:
firewall-drop
server,all
31152
600
30,60,90,120,150
rule 31152 is:
31103
Multiple SQL injection attempts from same
souce ip.
attack,sql_injection,
After i tried to SQL injection to
My rule fired, i received alert emails too. But active-response doesn't
work.
Here is my active-response config in ossec.conf:
firewall-drop
all
100101
600
Here is my email alert:
Received From: ubuntu-server->/var/log/nginx/access.log Rule: 100101 fired
(level 9) ->
First, sorry for my bad english.
I'm a newbie and i have used Ossec for about 2 weeks. Last week, active
response still worked well. But after 2,3 days. I checked the
/var/logs/auth.log and found that there was a ssh brute force attack from
an IP to my server. But then i check active-response