[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Can't get OSSEC to fire active response for custom proftpd rule

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Can't get OSSEC to fire active response for custom proftpd rule
From: Michael Starks <ossec@xxxxxxxxxxxxxxxxx>
Date: Wed, 24 Oct 2007 11:34:58 -0400
Authentication-results: mx.google.com; spf=neutral (google.com: 24.24.2.57 is neither permitted nor denied by best guess record for domain of ossec@xxxxxxxxxxxxxxxxx) smtp.mail=ossec@xxxxxxxxxxxxxxxxx

Steve West wrote:

> Am I doing something wrong as to why active response is not being 
> invoked after 20 "no such user" in a 60 seconds time frame?

Hello Steve,

I ran into a problem awhile back where it seemed like my rule wasn't 
working.  What I found after working with Daniel was that the behavior 
of OSSEC is to match just above the threshold.  So in your case the rule 
would not fire *on* 20, but at 21 (if memory serves me correctly).  Try 
21 or 22 invalid logins in 60 seconds.

-Mike

Follow-Ups:
- [ossec-list] Re: Can't get OSSEC to fire active response for custom proftpd rule
  - From: Steve West

References:
- [ossec-list] Can't get OSSEC to fire active response for custom proftpd rule
  - From: Steve West

Prev by Date: [ossec-list] Re: Strange behaviour with some agents...
Next by Date: [ossec-list] Re: Can't get OSSEC to fire active response for custom proftpd rule
Previous by thread: [ossec-list] Can't get OSSEC to fire active response for custom proftpd rule
Next by thread: [ossec-list] Re: Can't get OSSEC to fire active response for custom proftpd rule
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.