Hi
I have had about a thousand failed courier pop login attempts over the last day which generate an alert at level 10 but rather unfortunately doesn't do active reponse ! Looking thru the log, it reports ip=[::ffff:193.68.217.36]. Do we need to some rule change to cope with the ::ffff: or is there something else missing? -using V1.2, local installation Thanks Pete ** Alert 1180483264.1707: - syslog,access_control,authentication_failed, 2007 May 30 00:01:04 server2->/var/log/syslog Rule: 2501 (level 5) -> 'User authentication failure.' Src IP: (none) User: (none) May 30 00:01:03 server2 courierpop3login: LOGIN FAILED, ip=[::ffff:193.68.217.36] ** Alert 1180483264.1992: mail - syslog,attacks,authentication_failures, 2007 May 30 00:01:04 server2->/var/log/mail.info Rule: 40111 (level 10) -> 'Multiple authentication failures.' Src IP: (none) User: (none) May 30 00:01:02 server2 courierpop3login: LOGIN FAILED, ip=[::ffff:193.68.217.36] May 30 00:01:03 server2 courierpop3login: LOGIN FAILED, ip=[::ffff:193.68.217.36] May 30 00:01:02 server2 courierpop3login: LOGIN FAILED, ip=[::ffff:193.68.217.36] May 30 00:00:46 server2 courierpop3login: LOGIN FAILED, ip=[::ffff:193.68.217.36] May 30 00:00:42 server2 courierpop3login: LOGIN FAILED, ip=[::ffff:193.68.217.36] May 30 00:00:42 server2 courierpop3login: LOGIN FAILED, ip=[::ffff:193.68.217.36] May 30 00:00:31 server2 courierpop3login: LOGIN FAILED, ip=[::ffff:193.68.217.36] May 30 00:00:26 server2 courierpop3login: LOGIN FAILED, ip=[::ffff:193.68.217.36] May 29 23:59:26 server2 courierpop3login: LOGIN FAILED, ip=[::ffff:193.68.217.36] May 29 23:59:11 server2 courierpop3login: LOGIN FAILED, ip=[::ffff:193.68.217.36] May 29 23:59:00 server2 courierpop3login: LOGIN FAILED, ip=[::ffff:193.68.217.36]
