-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Oscar,
My conf in this host is:
<active-response>
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
That error is level 10:
Rule: 3910 fired (level 10) -> "Courier brute force (multiple failed
logins)."
Atenciosamente,
Rafael Brito Gomes
Analista de Segurança
LPIC-1 MCSO
DISUP/CPD/UFBA
Tel : +55 71 3283 6100
Em 18-03-2010 17:43, oscar schneider escreveu:
> Hey,
>
> Active Response runs only if
>
> a) the level of the matched rule is as high as the threshold for active
> response (see ossec.conf)
> b) the decoder can extract a source IP from the log entry
>
> You do not need to do any coding here. Just some XML descriptions.
>
> What alerts is ossec giving you for your rule?
>
> On Thu, Mar 18, 2010 at 9:05 PM, rafael.gomes <[email protected]
> <mailto:[email protected]>> wrote:
>
> Hi Guys,
>
> I am getting this msg in my OSSEC:
>
> Mar 18 10:08:53 server courierpop3login: LOGIN FAILED,
> [email protected] <mailto:[email protected]>, ip=[::ffff:18.104.87.110]
> Mar 18 10:08:53 server courierpop3login: LOGIN FAILED,
> [email protected] <mailto:[email protected]>, ip=[::ffff:18.104.87.110]
> Mar 18 10:07:41 server courierpop3login: LOGIN FAILED,
> [email protected] <mailto:[email protected]>, ip=[::ffff:18.104.87.110]
> Mar 18 10:07:41 server courierpop3login: LOGIN FAILED,
> [email protected] <mailto:[email protected]>, ip=[::ffff:18.104.87.110]
> Mar 18 10:06:30 server courierpop3login: LOGIN FAILED,
> [email protected] <mailto:[email protected]>, ip=[::ffff:18.104.87.110]
> Mar 18 10:06:30 server courierpop3login: LOGIN FAILED,
> [email protected] <mailto:[email protected]>, ip=[::ffff:18.104.87.110]
> Mar 18 10:05:13 server courierpop3login: LOGIN FAILED,
> [email protected] <mailto:[email protected]>, ip=[::ffff:18.104.87.110]
>
> But it doesn't active response. Why?
>
> I got this archived mail:
>
> http://www.mail-archive.com/[email protected]/msg01874.html
>
> I know that developers need time to do this, I am not requiring nothing,
> but just asking if they have intention to developing it soon.
>
> This log is killing me, I am thinking about add another tool to control
> just it.
>
> I am not able to help with devel, but I can test if you need.
>
> Thanks!
>
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com
<http://unsubscribegooglegroups.com> or reply to this email with the
words "REMOVE ME" as the subject.
> To unsubscribe from this group, send email to
> ossec-list+unsubscribegooglegroups.com or reply to this email with the
> words "REMOVE ME" as the subject.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkujhdAACgkQmcKAeZZwz2bwPgCgx2fP7sSIFOLJVFdLNAVg3t9E
eMYAoKYIpQAdEjkpgfj2lF3qYK6qGIOv
=CHXS
-----END PGP SIGNATURE-----
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
"REMOVE ME" as the subject.
