[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ossec-list] Fw: Active response
- Subject: [Ossec-list] Fw: Active response
- From: peter at ifup.de (Peter Ahlert)
- Date: Thu, 9 Mar 2006 21:37:57 +0100
Hi Daniel,
On Wed, 8 Mar 2006 16:52:06 -0400
"Daniel Cid" <daniel.cid at gmail.com> wrote:
> If you try with the following log:
>
> echo "Mar 2 07:13:30 enigma sshd[4264]: Failed password for invalid
> user test from 64.106.134.170 port 58354 ssh2" >> /var/log/messages
>
> It will block the ip: "64.106.134.170" (can you just verify that?)
working as intended (ip blocked and removed after timeout)
> To fix this, you can do two things (it will be fixed in the next version):
>
> -edit /var/ossec/etc/decoders.xml and add the following just after the
> "ssh-failed" part (hope the e-mail client will not delete the xml):
>
> <decoder name="ssh-invalid">
> <parent>sshd</parent>
> <prematch>^sshd[\d+]: Illegal </prematch>
> <regex>^sshd[\d+]: Illegal user (\S+) from (\S+)$</regex>
> <order>user,srcip</order>
> </decoder>
I added the block to decoders.xml but the active response isnt fired. I tried to add some
pure-ftp rules too but wasn't successful ;) Is it possible to activate some debug output to
see if ip or user are recognised?
I guess i'm going to wait for the next version :)
Peter
--
=========================================================================
Peter Ahlert peter at ifup.de
==== We are Microsoft. You will be assimilated. Resistance is futile ====
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.