Hi,
I have defined a rule in local_rules for multiple authentication failures::
<rule id="100153" level="10" frequency="2" timeframe="240">
<if_matched_sid>18106</if_matched_sid>
<description>Multiple Windows Logon Failure events.</description>
</rule>
I can see the alert for the same rule I have added, but having two problems:
1)Rule is not triggering on 2 failure attempts (freq=2), but on 3 or more
failures. Remedy?
*2) I want to block the client that has triggered this rule so that he
doesn't get chance to login anymore
(block the client). How can I do it? I tried adding this rule on
"active response" field wih "timeout=600" .
I guess then, client should be blocked and not allowed to Login
into the client for next 600 sec but the
client is immediately able to gain access. (I hope I am getting it
right).
Please help.
