Re: [ossec-list] Re: Modify rules

On Thu, Mar 23, 2017 at 12:29 PM, The Dude wrote: > I went with the first option. Works as expected but now I need to adjust the > number of of fails before the ip is blocked.. Where do I do that? > Try using 5720 for the rule to trigger active response. It looks for 8+

[ossec-list] Re: Modify rules

I went with the first option. Works as expected but now I need to adjust the number of of fails before the ip is blocked.. Where do I do that? On Monday, March 20, 2017 at 2:56:29 PM UTC-4, The Dude wrote: > > I am new to ossec and I am trying to figure out what is the best way to > change a

[ossec-list] Re: Modify rules

One other bit of information - the "read only" error has nothing to do with OSSEC itself. It is simply a warning based on Linux saying that the file is marked without the "W" attribute. You can resolve this from "vi" by simply using a "w" upon exit. For example, after you edit the

[ossec-list] Re: Modify rules

Hi, You have some options to achieve this: One of them is to increase the rule level. Changing the value at the original rule would work but I'd recommend you to create a new rule (at file *local_rules.xml*), adding attribute 'overwrite="yes" ' and changing the rule level: 5700