Do 1 thing, in the loacl_rules.xml file change the default level of thus rule. Also, the kind of customisation u want can be done in this file only. Thereafter configure email alerting on this rule I'd. This implies anytime the ossec sever sees this rule I'd, it will fire an alert and a copy of the same will be sent on the email I'd that u have given.
Rgds Tanishk Sent from BlackBerry® on Airtel -----Original Message----- From: Andre Pawlowski <[email protected]> Sender: [email protected] Date: Wed, 01 Jun 2011 19:47:47 To: <[email protected]> Reply-To: [email protected] Subject: [ossec-list] rule to trigger when 3 specific log entries in a specific time appears Hi list, I have the following problem. Some bots (or perhaps persons) are trying to authenticate theirselfs via smtp on my server. Each time I've got the following log entries: Jun 1 18:30:24 GATE zarafa-gateway[15970]: Failed to login from 127.0.0.1 with invalid username "[email protected]" or wrong password. Error: 0x80040111 Jun 1 18:30:24 GATE postfix/smtpd[15962]: warning: SASL authentication failure: Password verification failed Jun 1 18:30:24 GATE postfix/smtpd[15962]: warning: unknown[205.234.236.xxx]: SASL PLAIN authentication failed: authentication failure Now I want to add a rule to ossec, that will trigger when these three entries appear for example 3 times in 30 seconds from the same IP 205.234.236.xxx. I was searching the wiki but I didn't find anything that helps me to do this. Can anyone of you give me a hint? Thanks in advance -- Andre Pawlowski ------------------------------------------------------------------- People should not be afraid of their governments. Governments should be afraid of their people. -V for Vendetta (V)
