Hi Forrest,
Hope you get my e-mail this time (your e-mail seem to be having problems with google mail/groups). First, your rule "100101" (which is not included in the e-mail) is set to level "4". You configured your active responses to only be executed on levels higher or equal to 6 (<level>6</level>). If you want this rule be executed, just increase its level to 6 or higher. Second, your rule 100103 will never be matched. You have an "if_sid" for rule 3103, but you also have that for rule "100101". So rule 100101 is always executed instead of the 3103. If you change it too the following it should work: <rule id="100103" level="12" frequency="3" timeframe="120"> <if_matched_sid>100101</if_matched_sid> <match>blocked - see</match> <same_source_ip /> <description>Email RBL block; multiple times</description> </rule> Hope it helps.. -- Daniel B. Cid dcid ( at ) ossec.net On 9/18/06, Forrest Aldrich <[EMAIL PROTECTED]> wrote:
I got slammed tonight by this connection, which amounted to 1000's of entries. Sep 18 22:22:20 mail sm-mta[42966]: ruleset=check_relay, arg1=[125.131.7.212], arg2=127.0.0.2, relay=[125.131.7.212], reject=553 5.3.0 Message from 125.131.7.212 blocked - see http://www.heise.de/ix/nixspam/dnsbl_en/ Sep 18 22:22:50 mail sm-mta[42967]: ruleset=check_relay, arg1=[125.131.7.212], arg2=127.0.0.2, relay=[125.131.7.212], reject=553 5.3.0 Message from 125.131.7.212 blocked - see http://www.heise.de/ix/nixspam/dnsbl_en/ Sep 18 22:23:20 mail sm-mta[42968]: ruleset=check_relay, arg1=[125.131.7.212], arg2=127.0.0.2, relay=[125.131.7.212], reject=553 5.3.0 Message from 125.131.7.212 blocked - see http://www.heise.de/ix/nixspam/dnsbl_en/ The active-response *should* have caught this, but it did not, and I'm still puzzled as to why. I have these rules: /var/ossec/etc/ossec.conf: [ snip ] <!-- Active Response Config --> <active-response> <!-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) >= 6. - The IP is going to be blocked for 600 seconds. --> <command>host-deny</command> <location>local</location> <level>6</level> <timeout>600</timeout> </active-response> <active-response> <!-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). --> <command>firewall-drop</command> <location>local</location> <level>6</level> <timeout>600</timeout> </active-response> The rules from /var/ossec/rules/local_rules.xml: <rule id="100103" level="12" frequency="3" timeframe="120"> <if_sid>3103</if_sid> <match>blocked - see</match> <same_source_ip /> <description>Email RBL block; multiple times</description> </rule> <rule id="100099" level="4"> <match>reject=421 4.3.2</match> <description>421 reject code</description> </rule> <rule id="100102" level="12" frequency="1" timeframe="120"> <if_sid>100099</if_sid> <match>Connection rate limit exceeded</match> <same_source_ip /> <description>Sendmail connection rate throttle trap</description> </rule> Now I would *think* the first one would stop this right away. Maybe I have levels incorrect? I see this several times in the alerts.log: ** Alert 1158630994.64347: 2006 Sep 18 21:56:34 mail->/var/log/messages Rule: 100101 (level 4) -> 'Email blocked due to RBL' Src IP: 125.131.7.212 User: (none) sm-mta[42822]: ruleset=check_relay, arg1=[125.131.7.212], arg2=127.0.0.2, relay=[125.131.7.212], reject=553 5.3.0 Message from 125.131.7.212 blocked - see http://www.heise.de/ix/nixspam/dnsbl_en/ In another incident, the Connection Rate Throttle isn't being upped to the right level: ** Alert 1158563267.12801: 2006 Sep 18 03:07:47 mail->/var/log/messages Rule: 3107 (level 4) -> 'Sendmail rejected message.' Src IP: 24.109.128.18 User: (none) sm-mta[12791]: ruleset=check_relay, arg1=S0106000f3d3aea3d.tb.shawcable.net, arg2=24.109.128.18, relay=S0106000f3d3aea3d.tb.shawcable.net [24.109.128.18], reject=421 4.3.2 Connection rate limit exceeded. Now my rule above is supposed to trigger a firewall block after 3 times of this. Can someone help me figure out what's wrong. It may be my misundertanding of the levels config. Thanks! Forrest
