On Thu, Nov 4, 2010 at 3:28 PM, Chad Robertson <[email protected]> wrote: > On the server: > > ossec.conf > > <active-response> > <command>host-deny</command> > <location>local</location> > <rules_id>100055</rules_id> > <timeout>600</timeout> > </active-response> > > local_rules.xml > > <rule id="100055" level="14"> > <decoded_as>ssh-invalid_user</decoded_as> > <match>none</match> > <description>SSHD invalid username detected.</description> > </rule> > > local_decoder.xml > > <decoder name="ssh-invalid_user"> > <prematch>Failed \S+ for invalid user </prematch> > <regex>(\S+) from (\S+) </regex> > <order>user, srcip</order> > </decoder> >
Make sure AR isn't disabled on the agent. Double check the agent's AR log to make sure it hasn't fired. Also, try running the AR command on the agent by hand to make sure it actually works.
