To execute the active response, ossec needs to know the ip address to block. Did you write a decoder for vpopmail? If you look at /var/ossec/etc/decoder.xm you will see all the ones we currently have.
Basically, the decoder extract the IPs, usernames and other data from the logs. The rules do the pattern matching to generate the alerts. The following entry in the wiki explains a bit more about the relation between the decoders and rules: http://www.ossec.net/wiki/index.php/Decoder_rules_relation *btw, share your rules when they are done :) Hope it helps, -- Daniel B. Cid dcid ( at ) ossec.net On 9/13/06, Ceg Ryan <[EMAIL PROTECTED]> wrote:
Hi all, I am writing new vpopmail rules to block vpopmail pop3 brute force attack. I find logs in alert/2006/Sep/ at level 10 by my new rules. But I could not see the active-response. I did set to trigger the active-response at level 10 in ossec.conf. What is the problem here ?
