Hi Peter, The reason why the active responses are not working is because we don't have decoders to extract the source ip from courier log messages (ossec has decoders for every application that we want to extract information from the logs).
We can easily add support for it, but I would like to see a few more log samples. Can you share it with us? I am also interested in successful login messages and any other one that might show up. You can send it to us via the maling list or post on our wiki: http://www.ossec.net/wiki/index.php/Log_Samples *btw, does anyone here use webmails? We already support horde imp, but I am looking to add support for more (like open webmail, round cube, uebimiau, etc). If you have logs for any of those, please send them to us. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 5/30/07, Peter Robinson <[EMAIL PROTECTED]> wrote: > > > Hi > > I have had about a thousand failed courier pop login attempts over the > last day which generate an alert at level 10 but rather unfortunately > doesn't do active reponse ! > > Looking thru the log, it reports ip=[::ffff:193.68.217.36]. Do we need > to some rule change to cope with the ::ffff: or is there something else > missing? > > -using V1.2, local installation > > Thanks > > Pete > > > > > ** Alert 1180483264.1707: - syslog,access_control,authentication_failed, > 2007 May 30 00:01:04 server2->/var/log/syslog > Rule: 2501 (level 5) -> 'User authentication failure.' > Src IP: (none) > User: (none) > May 30 00:01:03 server2 courierpop3login: LOGIN FAILED, > ip=[::ffff:193.68.217.36] > > ** Alert 1180483264.1992: mail - > syslog,attacks,authentication_failures, > 2007 May 30 00:01:04 server2->/var/log/mail.info > Rule: 40111 (level 10) -> 'Multiple authentication failures.' > Src IP: (none) > User: (none) > May 30 00:01:02 server2 courierpop3login: LOGIN FAILED, > ip=[::ffff:193.68.217.36] > May 30 00:01:03 server2 courierpop3login: LOGIN FAILED, > ip=[::ffff:193.68.217.36] > May 30 00:01:02 server2 courierpop3login: LOGIN FAILED, > ip=[::ffff:193.68.217.36] > May 30 00:00:46 server2 courierpop3login: LOGIN FAILED, > ip=[::ffff:193.68.217.36] > May 30 00:00:42 server2 courierpop3login: LOGIN FAILED, > ip=[::ffff:193.68.217.36] > May 30 00:00:42 server2 courierpop3login: LOGIN FAILED, > ip=[::ffff:193.68.217.36] > May 30 00:00:31 server2 courierpop3login: LOGIN FAILED, > ip=[::ffff:193.68.217.36] > May 30 00:00:26 server2 courierpop3login: LOGIN FAILED, > ip=[::ffff:193.68.217.36] > May 29 23:59:26 server2 courierpop3login: LOGIN FAILED, > ip=[::ffff:193.68.217.36] > May 29 23:59:11 server2 courierpop3login: LOGIN FAILED, > ip=[::ffff:193.68.217.36] > May 29 23:59:00 server2 courierpop3login: LOGIN FAILED, > ip=[::ffff:193.68.217.36] > > >
