I've not changed anything for a while, and when I updated recently to the latest OSSEC, I'm suddenly getting the reports below. Granted, they're not what I expected or configured them for... and I have active-response rules that still don't work, but I think this may be evidence that the OSSEC installations on BSD and Linux may behave differently.
It may be code, it may be the active-response scripts, or maybe both. Anyone else notice these oddities?
Has anyone considered my proposal for an alternative configuration method for active-response. Daniel?
_F First, my rule in local_rules.xml: <rule id="100099" level="4"> <match>reject=421 4.3.2</match> <description>421 reject code</description> </rule> <rule id="100102" level="12" frequency="1" timeframe="120"> <if_sid>100099</if_sid> <!-- <if_sid>100099, 3107</if_sid> --> <match>Connection rate limit exceeded</match> <same_source_ip /> <description>Sendmail connection rate throttle trap</description> </rule> Now the report I received: OSSEC HIDS Notification. 2006 Sep 30 01:13:47 Received From: mail->/var/log/messages Rule: 3156 fired (level 10) -> "Multiple rejected e-mails from same source ip." Portion of the log(s): sm-mta[51494]: ruleset=check_relay, arg1=[59.95.211.129], arg2=59.95.211.129, relay=[59.95.211.129], reject=421 4.3.2 Connection rate limit exceeded. sm-mta[51490]: ruleset=check_relay, arg1=[59.95.211.129], arg2=59.95.211.129, relay=[59.95.211.129], reject=421 4.3.2 Connection rate limit exceeded. sm-mta[51468]: ruleset=check_relay, arg1=[59.95.211.129], arg2=59.95.211.129, relay=[59.95.211.129], reject=421 4.3.2 Connection rate limit exceeded. sm-mta[51448]: ruleset=check_relay, arg1=[59.95.211.129], arg2=59.95.211.129, relay=[59.95.211.129], reject=421 4.3.2 Connection rate limit exceeded. sm-mta[51448]: ruleset=check_relay, arg1=[59.95.211.129], arg2=59.95.211.129, relay=[59.95.211.129], reject=421 4.3.2 Connection rate limit exceeded. sm-mta[51446]: ruleset=check_relay, arg1=[59.95.211.129], arg2=59.95.211.129, relay=[59.95.211.129], reject=421 4.3.2 Connection rate limit exceeded. sm-mta[51446]: ruleset=check_relay, arg1=[59.95.211.129], arg2=59.95.211.129, relay=[59.95.211.129], reject=421 4.3.2 Connection rate limit exceeded. sm-mta[51444]: ruleset=check_relay, arg1=[59.95.211.129], arg2=59.95.211.129, relay=[59.95.211.129], reject=421 4.3.2 Connection rate limit exceeded. sm-mta[51442]: ruleset=check_relay, arg1=[59.95.211.129], arg2=59.95.211.129, relay=[59.95.211.129], reject=421 4.3.2 Connection rate limit exceeded. sm-mta[51443]: ruleset=check_relay, arg1=[59.95.211.129], arg2=59.95.211.129, relay=[59.95.211.129], reject=421 4.3.2 Connection rate limit exceeded. --END OF NOTIFICATION
