Hi Peter, Very good suggestion. Plus, the reason why it is not working is because the rule 5712 is never firing, since you have a local rule (100160) overwriting it...
You will need to change your active response config to be: <active-response> <command>firewall-drop</command> <location>local</location> <rules_id>100160</rules_id> <timeout>240</timeout> </active-response> Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, May 13, 2008 at 12:37 PM, Peter M. Abraham <[EMAIL PROTECTED]> wrote: > > Greetings Peter: > > If all you are doing is taking the same rule but wanting to change the > level to avoid notification, then copy the rule to local_rules.xml and > use the > overwrite="yes" option. > > Example: > > <group name="syslog,vpopmail,"> > <rule id="9951" level="10" frequency="20" timeframe="60" > overwrite="yes"> > <if_matched_sid>9901</if_matched_sid> > <same_source_ip /> > <description>POP3 brute force (multiple failed logins).</ > description> > <group>authentication_failures,</group> > </rule> > > <rule id="9952" level="10" frequency="20" timeframe="60" > overwrite="yes"> > <if_matched_sid>9902</if_matched_sid> > <same_source_ip /> > <description>POP3 brute force (email harvesting).</description> > <group>authentication_failures,</group> > </rule> > </group> > > Then restart ossec. > > Thank you. >
