One of hour DMZ boxes got hid hard the other day, it was all SSH and FTP, over a 15 minute period I got roughtly 12 emails, some containing multiple alerts regarding multiple failed logins, and one complaining about the average size of the logs (it had quadrupled)
Weird thing was, after looking over the logs, the active response kicked off when it should have, but didn't seem to take effect, as the attacks and alerts continued for another 10 minutes... this has never happened before, usually I just get one email regarding the failed attempts, and thats it, because they get blocked. This time, they just kept coming. I'm still looking into it, and I'll let you know what I find out. On Mon, Mar 24, 2008 at 9:28 PM, Andrew Storms <[EMAIL PROTECTED]> wrote: > > OK, thanks Daniel , I'll take another look. Maybe the bots hitting me are > faster that yours ;-) > > > On 3/24/08 11:56 AM, "Daniel Cid" <[EMAIL PROTECTED]> wrote: > > > > > Hi Andrew, > > > > It is just the time to send a message via unix-socket (or via the > > network if it is supposed to run on > > the agent) plus the time to execute the script. However, note that the > > response will only kick in after > .... > >
