I would suggest posting the version of OSsec that you're using, the rule that is specifically being fired @ level 10 (I believe there is more than one type of ssh brute force attack if I remember correctly), and then the <active-response> portion of your ossec.conf file. Snippets of the log itself may help, too.
I know that you specified that you're using the 'defaults', but if you tag these pieces of information along in your messages it'll make things easier for someone that may know the answer of the top of their head to post a response to you. I'm pretty sure most of the people on this mailing list don't have the time to sit and research various responses to questions like this most of the time; nobody gets paid to respond to the mailing list. :) HTH. ---------- Damon Getsman -=-=-=- ITRx http://www.itrx-nd.com/ Programmer/IT Customer Relations/Sys Admin -=-=-=- On Tue, Mar 3, 2009 at 2:23 AM, cianop <[email protected]>wrote: > > Hey, someone can help me please, I have a lot of brute force attack > notificated by OSSEC, and if the active-response doesn't work before > or after they go inside. Anyone at Ossec can help me? > [snip] On 19 Feb, 16:18, cianop <[email protected]> wrote: > Hi, I had an OSSEC notification that say that a rule with level 10 was > fired but I didn't see any active-response action. I mean no > modification of hosts.* no logs in active-response dir or logs dir. > I have the default rules installed and the two default command and > related active-response (host-deny > and firewall-drop) with the firewall-drop disabled. There is also no > error in ossec.log [snip]
