Reply inline...
On 1/22/07, Surf Admin <[EMAIL PROTECTED]> wrote:
hello, some questions
on ossec agent machine what is difference between
1. /var/ossec/logs/active-responses.log
2. /var/ossec/active-response/ossec-hids-responses.log
The ossec-hids-responses log was used on versions older than 1.0.
On the new one we decided to keep all the logs in one place... So,
same file, same content, but at different locations.
I've a few local rules like this which I hope do what the description
says. (ossec is set to email 7+ and active-response rules are 6+)
<rule id="100104" level="6" frequency="10" timeframe="160">
<if_sid>5551</if_sid>
<description>Make Mutiple failed logins not send email but still do
active response</description>
</rule>
Originally it started like <rule id="100104" level="6"> but that seemed
to active response people after 1 failed login. So, it seems that
"overloading" rules like this parameters like frequency and timeframe
are not inherited. Is that correct? Is there a better solution to what
I'm trying to do?
This may sound a bit confusing, but I will try to explain anyway. Your original
rule, without the frequency, was working correctly, but due to a bug on
ossec, it would only show the last log received (instead of all the
failed logins)...
Your currently rule is not going to work as expected. It is only going
to be fired if
rule 5551 happens 10 times (and rule 5551 is only fired after 6 failed login
attempts -- so the 100104 is only going to show up after 60 failed attempts).
You can keep the old rule and it is only going to show up after the 6 failed
login attempts, but only reporting the last log received... I have a fix ready
for that if you are insterested.
thanks,
norm
Hope it clarifies a bit..
--
Daniel B. Cid
dcid ( at ) ossec.net
