I am new to ossec and I am trying to figure out what is the best way to change a rule. In the ossec.conf it says this
<!-- Active Response Config --> > <active-response> > <!-- This response is going to execute the host-deny > - command for every event that fires a rule with > - level (severity) >= 6. > - The IP is going to be blocked for 600 seconds. > --> > <command>host-deny</command> > <location>local</location> > <level>6</level> > <timeout>600</timeout> > </active-response> I am assuming the level it is referring to is the level set in the rule.xml So the sshd_rules.xml has this line. > > <rule id="5716" level="5"> > <if_sid>5700</if_sid> > <match>^Failed|^error: PAM: Authentication</match> > <description>SSHD authentication failed.</description> > <group>authentication_failed,</group> </rule> When testing failed ssh logins I see the alert in the alert.log for the rule above. How should I go about changing the level to 6 so it will get blocked? I tried editing the sshd_rules.xml but get the read only warning. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
