Hello, On Thu, 29 Nov 2007 16:21:02 -0400 "Daniel Cid" <[EMAIL PROTECTED]> wrote:
> rule 3302 instead of creating a new one (just paste the following on > local_rules.xml). > > <rule id="3302" level="1" overwrite="yes"> > <if_sid>3300</if_sid> > <id>^550$</id> > <description>Rejected by access list </description> > <description>(Requested action not taken).</description> > <group>spam,</group> > </rule> I've got a strange result. With this rule I see in alerts.log: ** Alert 1196441495.1580333: - local,syslog,postfix,spam, 2007 Nov 30 19:51:35 betty->/var/log/all.log Rule: 3302 (level 100) -> 'Rejected by access list (Requested action not taken). ' Note "level" number. I've double checked that the rule use level="1". After changing the rule with level="2" it shows me: ** Alert 1196442339.1619757: - local,syslog,postfix,spam, 2007 Nov 30 20:05:39 betty->/var/log/all.log Rule: 3302 (level 2) -> 'Rejected by access list (Requested action not taken).' But Src IP was blocked even with <level>6</level> in <active-response>. It is not what I want. I want to block Src IP on rule 3352 instead of 3302. PS. I use OSSEC 1.3 -- DSS5-RIPE DSS-RIPN mailto:[EMAIL PROTECTED] xmpp:[EMAIL PROTECTED] http://wizard.volgograd.ru/ 2:550/[EMAIL PROTECTED] 2:550/[EMAIL PROTECTED]
