Okay, so I was able to get 5720 to fire consistently. But now I'm
having issues with AR working (again). This time the server is getting
the alerts from the OSSEC agent (as normal) and it is in fact firing
5720:
** Alert 1298415206.1338076638: mail -
syslog,sshd,authentication_failures,
2011 Feb 22 14:53:26 (irprinfssh1) X.X.X.X->/var/log/secure
Rule: 5720 (level 10) -> 'Multiple SSHD authentication failures.'
Src IP: X.X.X.X
User: jlee
Feb 22 14:53:25 irprinfssh1 sshd[9503]: Failed password for jlee from
X.X.X.X port 31903 ssh2
Feb 22 14:53:23 irprinfssh1 sshd[9503]: Failed password for jlee from
X.X.X.X port 31903 ssh2
Feb 22 14:53:13 irprinfssh1 sshd[9470]: Failed password for jlee from
X.X.X.X port 5118 ssh2
The AR/command in ossec.conf is as follows:
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>route-null</command>
<location>local</location>
<rules_id>5720<rules_id>
<timeout>1800</timeout>
</active-response>
Yet again, I'm perplexed... has anybody gotten the AR to work in a
server-agent setup for rules 5720 and/or 5712?
NOTE: this was working perfectly for me when I had OSSEC installed in
local mode.
