|
I'm having some trouble with my active-response configuration. I'm trying to trap annoying botnet floods like this: <snip> Sep 16 02:17:03 mail sm-mta[36121]: ruleset=check_relay, arg1=[59.176.61.250], arg2=59.176.61.250, relay=triband-del-59.176.61.250.bol.net.in [59.176.61.250] (may be forged), reject=421 4.3.2 Connection rate limit exceeded.</snip> Sometimes those can range up to 100 or more. My ossec.conf has this, which is a default rule: <active-response> And my custom rule from local_rules.xml has this: <rule id="100102" level="12" frequency="1" timeframe="120"> It doesn't show up in the ossec-hids-responses.log. This is an entry that I would prefer NOT to timeout or delete... I'd prefer to keep it there permanently (still trying to figure out how to do that). I *do* see entries in the log, but I've no idea if they actually made it to the PF table (which I created and is visible). In any case, I wonder if someone can point me to where I've made a mistake and how to fix this..? Thanks. |
