Hi Dan, Thanx again. Your first question was right. Simulated a full brute force test on Wordpress login. The rule didn't get a trigger. My assumption was that the rules below got triggered reading their description :-/
I have read the ossec book. Are there any good readings on groups and rule tree structures? Thanx a lot. Kind regards, Gerard. On Tuesday, November 5, 2013 5:27:57 PM UTC+1, dan (ddpbsd) wrote: > > On Sat, Nov 2, 2013 at 8:27 AM, Gerard Petersen <[email protected]<javascript:>> > wrote: > > Hi All, > > > > I'm trying to get notifications for AR Firewall drops but I can't get it > to > > work. The easiest (but not preferred) way seemed to edit file > > "firewall_rules.xml" and change this: > > > > <rule id="4101" level="5"> > > <if_sid>4100</if_sid> > > <action>DROP</action> > > <options>no_log</options> > > <description>Firewall drop event.</description> > > <group>firewall_drop,</group> > > </rule> > > > > Does the above trigger when the logs come in? Can you provide a sample > of the logs? > > > > Into this: > > > > <rule id="4101" level="8"> > > <if_sid>4100</if_sid> > > <action>DROP</action> > > <description>Firewall drop event.</description> > > <group>firewall_drop,</group> > > </rule> > > > > Then, amazingly, the active response stops working completely. The > preferred > > way, as I see it, would be to add a new rule and if_sid from the 4101 > with a > > level=8. > > > > <group name="firewall,"> > > <rule id="100201" level="8"> > > <if_sid>4101</if_sid> > > <description>TEST - Firewall DROP.</description> > > </rule> > > </group> <!-- firewall, --> > > > > But no luck on either setup. Can anybody see what I do not? > > > > Thanx a lot. > > > > Kind regards, > > > > Gerard. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
