|
I installed the default OSSEC (server) on my internal mail system. Since then, it has not triggered any actions on the sendmail file - and though I'm still trying to grok how OSSEC is working, the rules in sendmail_rules.xml seem like they should be triggering several events. Namely: (annoying botnet flooding) reject=421 4.3.2 Connection rate limit exceeded.(rbl rejections) Sep 7 13:07:07 mail sm-mta[69281]: ruleset=check_relay, arg1=[60.55.8.6], arg2=127.0.0.7, relay=[60.55.8.6], reject=553 5.3.0 Message from 60.55.8.6 blocked - see http://dnsbl.sorbs.netI'm using sendmail - but it may be good to account for other MTA's like Postfix eventually. The RBL reject message for sendmail can be easily customized/tagged for identification by OSSEC if needed. In this case, I want to block these subnets on a permanent basis - it's my private system, and I really don't care. Presently, I do this manually with the help of a couple of messy shell scripts, but OSSEC could be doing this as an action. I'm on FreeBSD_6.1, btw... which really shouldn't matter. Thanks. |