Hi list, I have the following problem.
Some bots (or perhaps persons) are trying to authenticate theirselfs via smtp on my server. Each time I've got the following log entries: Jun 1 18:30:24 GATE zarafa-gateway[15970]: Failed to login from 127.0.0.1 with invalid username "[email protected]" or wrong password. Error: 0x80040111 Jun 1 18:30:24 GATE postfix/smtpd[15962]: warning: SASL authentication failure: Password verification failed Jun 1 18:30:24 GATE postfix/smtpd[15962]: warning: unknown[205.234.236.xxx]: SASL PLAIN authentication failed: authentication failure Now I want to add a rule to ossec, that will trigger when these three entries appear for example 3 times in 30 seconds from the same IP 205.234.236.xxx. I was searching the wiki but I didn't find anything that helps me to do this. Can anyone of you give me a hint? Thanks in advance -- Andre Pawlowski ------------------------------------------------------------------- People should not be afraid of their governments. Governments should be afraid of their people. -V for Vendetta (V)
