[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: Can't get OSSEC to fire active response for custom proftpd rule
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: Can't get OSSEC to fire active response for custom proftpd rule
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Wed, 24 Oct 2007 22:35:24 -0300
- Authentication-results: mx.google.com; spf=pass (google.com: domain of daniel.cid@xxxxxxxxx designates 209.85.198.187 as permitted sender) smtp.mail=daniel.cid@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=ob90+RH/ztw4a6An73FsAu9bCozJbBfnKtzvKsXFjSI=; b=EPd7r1yr2pneJHlSq/8ffjHa2OziQiGaopYFI9GYW0dcNfg2+kJHuTh6BAafFANkNlBHHSAWbnLrZH3hqAnOuYy8gnJ2UzWbRehz6Bwj1s42PLVwQvA4ilYyhu0gCVYHXeQ441OVblSmYPCw+LpIPK6ES4Psw508BryHor7SwA4=
Hi Steve,
Are the alerts being generated based on your rule? If yes, can you
show us the output of them? (from /var/ossec/logs/alerts.log ). You
need to make sure that the srcip is present
in the alert (meaning that it was decoded properly), otherwise the
active response is not
going to fire.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/24/07, Steve West <stevewest15@xxxxxxxxx> wrote:
>
> Michael Starks wrote:
> > Try 21 or 22 invalid logins in 60 seconds.
> >
> > -Mike
> >
> Hi Mike,
>
> Thanks for the suggestion! I try over 25 invalid logins and still ossec
> active response doesn't fire. Not really sure why but I think it might
> be related to my rule or the underlaying proftpd group rule 11200.
>
> SW
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.