Hey, Active Response runs only if
a) the level of the matched rule is as high as the threshold for active response (see ossec.conf) b) the decoder can extract a source IP from the log entry You do not need to do any coding here. Just some XML descriptions. What alerts is ossec giving you for your rule? On Thu, Mar 18, 2010 at 9:05 PM, rafael.gomes <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Guys, > > I am getting this msg in my OSSEC: > > Mar 18 10:08:53 server courierpop3login: LOGIN FAILED, > [email protected], ip=[::ffff:18.104.87.110] > Mar 18 10:08:53 server courierpop3login: LOGIN FAILED, > [email protected], ip=[::ffff:18.104.87.110] > Mar 18 10:07:41 server courierpop3login: LOGIN FAILED, > [email protected], ip=[::ffff:18.104.87.110] > Mar 18 10:07:41 server courierpop3login: LOGIN FAILED, > [email protected], ip=[::ffff:18.104.87.110] > Mar 18 10:06:30 server courierpop3login: LOGIN FAILED, > [email protected], ip=[::ffff:18.104.87.110] > Mar 18 10:06:30 server courierpop3login: LOGIN FAILED, > [email protected], ip=[::ffff:18.104.87.110] > Mar 18 10:05:13 server courierpop3login: LOGIN FAILED, > [email protected], ip=[::ffff:18.104.87.110] > > But it doesn't active response. Why? > > I got this archived mail: > > http://www.mail-archive.com/[email protected]/msg01874.html > > I know that developers need time to do this, I am not requiring nothing, > but just asking if they have intention to developing it soon. > > This log is killing me, I am thinking about add another tool to control > just it. > > I am not able to help with devel, but I can test if you need. > > Thanks! > > - -- > Atenciosamente, > > Rafael Brito Gomes > Analista de Segurança > LPIC-1 MCSO > DISUP/CPD/UFBA > Tel : +55 71 3283 6100 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkuih3YACgkQmcKAeZZwz2bZIgCgrhebTc/HrmQGLkIhiHkWHxpY > TWwAnjHNsufmCJtfMfCFnqSwOJxiXWwi > =mVO1 > -----END PGP SIGNATURE----- > > To unsubscribe from this group, send email to ossec-list+ > unsubscribegooglegroups.com or reply to this email with the words "REMOVE > ME" as the subject. > To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
