Sorry, after looking further into the old logs (the .gz ones), I've
found that 203.114.112.197 fired rule "3103"
and rule "103107" (for "421 4.3.2 Too many" and "421 4.3.2 Connection")
but never fired "103157".
In fact in the ossec log I get :
- One alert for "3103"
- 5 alerts for "103107"
but if you look my mail.log from this example we get :
- 4 "reject=553 5.3.0"
- 8 "reject=421 4.3.2 Too many open connections"
- 4 "reject=421 4.3.2 Connection rate limit exceeded"
Didn't should I got 4+8+4 = 16 alerts ???
and 12 "103107" alerts should have been sufficient for firing rule
"103157", no ?
Thanks for help.
Sioban
