I was wondering if anyone who has had experience using OSSEC could help me out. I added a custom rule to my local_rule.xml file which looks like: <rule id="1100002" level="3"> <if_sid>11200</if_sid> <match>FTP session opened.$</match> <options>alert_by_email</options> <description>FTP session opened.</description> </rule>
I need to be alerted when anyone logs in via proftpd however when I raise the level to 7 or above, I get an alert emailed to me saying FTP Session Opened however I can no longer FTP into the site because active response places my IP in the hosts.deny because the OSSEC alert log says: ** Alert 1274635734.53838: - syslog,proftpd,invalid_login, 2010 May 23 13:28:54 cyberserve.cyberwatchers.local->/var/log/ proftpd.log Rule: 11203 (level 5) -> 'Attempt to login using a non-existent user.' Src IP: 173.100.213.174 User: (none) May 23 13:28:52 cyberserve.cyberwatchers.local proftpd[13172] cyberserve.cyberwatchers.local (173.100.213.xxx[173.100.213.xxx]): USER anonymous: no such user found from 173.100.213.xxx [173.100.213.xxx] to 10.1.1.7:21 I am currently running ossec locally on the proftpd server which is running Centos 5. All the logs are going into the /var/log/ proftpd.log... I am not using syslog because I am using syslog-ng to gather logs both locally and from remote clients. So with that being said the ftp logs I am having the issue are local to the box itself. Any help would be super!
