[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Can't get OSSEC to fire active response for custom proftpd rule
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Can't get OSSEC to fire active response for custom proftpd rule
- From: Steve West <stevewest15@xxxxxxxxx>
- Date: Wed, 24 Oct 2007 10:19:08 -0400
- Authentication-results: mx.google.com; spf=pass (google.com: domain of stevewest15@xxxxxxxxx designates 66.249.82.226 as permitted sender) smtp.mail=stevewest15@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; bh=wqjRWyPmhIpuLNWUGVpqkyBG0U5ZQXnAUQBGeJDmCJc=; b=lCc6SjTBppNVyP4MlVdaC39mxlx8p2PV3JST4G+hu1WLIBckD0HOBkNNrjFsQ0jt3Dk5aIkpqXakwqFbXv+hhXHRfomYkZVxvVX8V9bhA21gGOtkJ3ZRujpSxlZsogKvaxjb2ADjrlxIbaG+JoTZkOLxEoDZ27tCWVWwJ0exqpg=
Hi,
I'm trying to create a new proftpd rule in
/var/ossec/rules/local_rules.xml but for some reason ossec is not
performing the active response. Here is my rule:
<!-- Proftpd Rules -->
<group name="proftpd">
<rule id="11000001" level="10" frequency="20" timeframe="60">
<if_matched_sid>11203</if_matched_sid>
<same_source_ip />
<description>Multiple connection attempts using a non-existent
user.</description>
</rule>
</group>
<!-- End of Proftpd Rules -->
My rule is based on the /var/ossec/rules/proftpd_rules.xml rule id 11203:
<rule id="11203" level="5">
<if_sid>11200</if_sid>
<match> no such user </match>
<description>Attempt to login using a non-existent user.</description>
<group>invalid_login,</group>
</rule>
Am I doing something wrong as to why active response is not being
invoked after 20 "no such user" in a 60 seconds time frame?
thx,
SW
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.