Hi Joel,
I tought I had replied to you already, but looks like I didn't. If you look at your logs you will see some messages about "invalid username '?'". The problem is that ossec validates the username/srcip before sending to the active response scripts and it was considering the user "?" as invalid. I made some changes to fix it and it is available in the 0.9-2 beta version (and it will be in the final 0.9-2). http://www.ossec.net/files/snapshots/ Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/16/06, Joel Gray <[EMAIL PROTECTED]> wrote:
Hi all, I've recently had a series of attacks that cause the appropriate alert level 10 to fire, however on the client they come from the active response is not running the firewall-drop script. It does work for most of the ssh attacks that come in adding the iptables rule and 600 seconds later removing it. The only thing that I've noticed that is different is that the host is reported as [EMAIL PROTECTED] instead of a username. I ran the firewall-drop script and enclosed the ? with single quotes '?' and it added my iptables rule just fine. I do not know if that has anything to do with it or not, but I wanted to let you know just in case. Here is the alert. OSSEC HIDS Notification. 2006 Sep 16 07:42:06 Received From: (xxxxx) x.x.x.x.->/var/log/messages Rule: 11306 fired (level 10) -> "FTP brute force (multiple failed logins)." Portion of the log(s): pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] --END OF NOTIFICATION - Joel
