El vie, 19-10-2007 a las 10:09 -0400, McClinton, Rick escribió: > You can take the event id from active-responses.log and look it up in > alerts.log. > > Active-responses.log: > > Fri Oct 19 08:23:37 EDT 2007 /var/ossec/active-response/bin/host-deny.sh > delete - 200.56.139.214 1192795987.2901765 5712 > > 1192795987.2901765 is the ID. In alerts.log: > > ** Alert 1192795987.2901765: - syslog,sshd,invalid_login, > 2007 Oct 19 08:13:07 bro->/var/log/secure > Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user' > Src IP: 200.56.139.214 > User: (none) > Oct 19 08:13:07 bro sshd[26650]: Illegal user william from 200.56.139.214
Great response, thanks! :) -- GIT CONSULTORS www.git.es Tel: +34 971 498 310 Fax: +34 971 496 189 C/ Francesc Rover, 2B. 07003 Palma de Mallorca – Illes Balears (España)
