Hi Denis, This level "100" alert is a bug that I just fixed at:
http://www.ossec.net/files/snapshots/ossec-hids-071206.tar.gz Try updating to this version and it should work. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Nov 30, 2007 1:12 PM, Denis Shaposhnikov <[EMAIL PROTECTED]> wrote: > > Hello, > > On Thu, 29 Nov 2007 16:21:02 -0400 > "Daniel Cid" <[EMAIL PROTECTED]> wrote: > > > rule 3302 instead of creating a new one (just paste the following on > > local_rules.xml). > > > > <rule id="3302" level="1" overwrite="yes"> > > <if_sid>3300</if_sid> > > <id>^550$</id> > > <description>Rejected by access list </description> > > <description>(Requested action not taken).</description> > > <group>spam,</group> > > </rule> > > I've got a strange result. With this rule I see in alerts.log: > > ** Alert 1196441495.1580333: - local,syslog,postfix,spam, > 2007 Nov 30 19:51:35 betty->/var/log/all.log > Rule: 3302 (level 100) -> 'Rejected by access list (Requested action > not taken). ' > > Note "level" number. I've double checked that the rule use level="1". > After changing the rule with level="2" it shows me: > > ** Alert 1196442339.1619757: - local,syslog,postfix,spam, > 2007 Nov 30 20:05:39 betty->/var/log/all.log > Rule: 3302 (level 2) -> 'Rejected by access list (Requested action not > taken).' > > But Src IP was blocked even with <level>6</level> in <active-response>. > It is not what I want. I want to block Src IP on rule 3352 instead of > 3302. > > PS. I use OSSEC 1.3 > > -- > DSS5-RIPE DSS-RIPN mailto:[EMAIL PROTECTED] xmpp:[EMAIL PROTECTED] > http://wizard.volgograd.ru/ 2:550/[EMAIL PROTECTED] 2:550/[EMAIL PROTECTED] >
