[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: ProFTPD Issue - Active Response very sensitive for incorrect login attempts

To: ossec-list <ossec-list@xxxxxxxxxxxxxxxx>
Subject: [ossec-list] Re: ProFTPD Issue - Active Response very sensitive for incorrect login attempts
From: "Peter M. Abraham" <peter.m.abraham@xxxxxxxxx>
Date: Thu, 06 Sep 2007 12:28:09 -0000

Greetings:

You don't mention which rule is kicking off, but let's say it is as
follows from /var/ossec/rules/proftpd_rules.xml


  <rule id="11251" level="10" frequency="6" timeframe="120">
    <if_matched_sid>11204</if_matched_sid>
    <same_source_ip />
    <description>FTP brute force (multiple failed logins).</
description>
    <group>authentication_failures,</group>
  </rule>

If the rule has an adjuster such as timeframe (in the case of the
proftpd rules), then you can copy the rule set and edit /var/ossec/
rules/local_rules.xml and change the timeframe to a higher number.

Then restart ossec with

/var/ossec/bin/ossec-control restart

Thank you.

References:
- [ossec-list] ProFTPD Issue - Active Response very sensitive for incorrect login attempts
  - From: tswmmeejsdad@xxxxxxxxx

Prev by Date: [ossec-list] Install OSSEC to /: it's possible?
Next by Date: [ossec-list] Sharing rule to catch Nikto scanning
Previous by thread: [ossec-list] ProFTPD Issue - Active Response very sensitive for incorrect login attempts
Next by thread: [ossec-list] Install OSSEC to /
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.