The logs in logs/alerts/2006/Sep/ossec-alerts-14.log. I have set the active-response at level 10 already
vpopmail[1123]: vchkpw-pop3: vpopmail user not found abc@:219.xxx.100.198
vpopmail[1125]: vchkpw-pop3: vpopmail user not found abc1 @:219.xxx.100.198
vpopmail[1128]: vchkpw-pop3: vpopmail user not found test@:219.xxx.100.198
...
vpopmail[1125]: vchkpw-pop3: vpopmail user not found abc1 @:219.xxx.100.198
vpopmail[1128]: vchkpw-pop3: vpopmail user not found test@:219.xxx.100.198
...
...
...
vpopmail[1133]: vchkpw-pop3: vpopmail user not found admin@:219.xxx.100.198
User: abcb@
Src IP: 219.xxx.100.198
Rule: 9953 (level 10) -> 'POP3 brute force (email harvesting).'
2006 Sep 14 07:21:54 servera->/var/log/maillog
** Alert 1158189714.105283: mail
Src IP: 219.xxx.100.198
Rule: 9953 (level 10) -> 'POP3 brute force (email harvesting).'
2006 Sep 14 07:21:54 servera->/var/log/maillog
** Alert 1158189714.105283: mail
The active-response in ossec.conf
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>10</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>10</level>
<timeout>600</timeout>
</active-response>
