On Fri, Jul 13, 2012 at 7:01 AM, sahil sharma <sharmasahil0...@gmail.com> wrote: > Hi, > > I have defined a rule in local_rules for multiple authentication failures:: > > <rule id="100153" level="10" frequency="2" timeframe="240"> > > <if_matched_sid>18106</if_matched_sid> > <description>Multiple Windows Logon Failure events.</description> > </rule> > > I can see the alert for the same rule I have added, but having two problems: > > 1)Rule is not triggering on 2 failure attempts (freq=2), but on 3 or more > failures. Remedy? >
Check the frequency documentation: http://devio.us/~ddp/ossec/docs/syntax/head_rules.html > *2) I want to block the client that has triggered this rule so that he > doesn't get chance to login anymore > > (block the client). How can I do it? I tried adding this rule on > "active response" field wih "timeout=600" . > > I guess then, client should be blocked and not allowed to Login > into the client for next 600 sec but the > > client is immediately able to gain access. (I hope I am getting it > right). > > > Please help. You forgot to include the configuration you tried. Did you restart the ossec processes on the ossec server after making this change? Is active response enabled on the agent?
