Hi at all, I have some entry in log on the my mailserver (with installed ossec agent) like this:
Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<[email protected]>, method=PLAIN, rip=222.252.6.70, lip=10.12.14.36 and my ossec server in the alert.log say: Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<[email protected]>, method=PLAIN, rip=222.252.6.70, lip=10.12.14.36 ** Alert 1540983795.5645464: mail - dovecot,invalid_login,authentication_failed, 2018 Oct 31 12:03:15 (mailscanner04.tech2.it) 10.12.14.36->/var/log/messages Rule: 9705 (level 7) -> 'Dovecot Invalid User Login Attempt.' Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<[email protected]>, method=PLAIN, rip=222.252.6.70, lip=10.12.14.36 The problem is: rules 9705 in the dovecot rules have level 7 and in my ossec.conf all rules over level 6 trigger a active response.. but not for 'dovecot'.. I don't understand why.. All AR working fine for ALL other rule.. http and smtp.. only for dovecot don't trigger a active response.. Any suggest are appreciate. Giorgio Biondi -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
