On 10/27/2010 01:30 PM, Steven Stern wrote:
> Thanks. I've changed it and will await the next attack.
>
> On Wed, Oct 27, 2010 at 1:15 PM, jplee3 wrote:
>> Your section looks OK. There may be issues with the > response> portion however. Try this:
>>
>>
>> no
>> firewall-drop
>> local
>> 31
It shows in the email alert I get from OSSEC. The snippet below was
grabbed from OSSEC's logs.
On Wed, Oct 27, 2010 at 1:38 PM, Jeremy Lee wrote:
> Does the source IP even show when that rule is tripped?
>
> On Wed, Oct 27, 2010 at 11:30 AM, Steven Stern
> wrote:
>>
>> Thanks. I've changed it
Does the source IP even show when that rule is tripped?
On Wed, Oct 27, 2010 at 11:30 AM, Steven Stern <
subscribed-li...@sterndata.com> wrote:
> Thanks. I've changed it and will await the next attack.
>
> On Wed, Oct 27, 2010 at 1:15 PM, jplee3 wrote:
> > Your section looks OK. There may be i
Thanks. I've changed it and will await the next attack.
On Wed, Oct 27, 2010 at 1:15 PM, jplee3 wrote:
> Your section looks OK. There may be issues with the response> portion however. Try this:
>
>
> no
> firewall-drop
> local
> 31151
> 8 (I don't think you even need this flag if you
> *
Your section looks OK. There may be issues with the portion however. Try this:
no
firewall-drop
local
31151
8 (I don't think you even need this flag if you
*only* want to trigger on the rule id 31151)
Let us know if that works. I think it might be the "disabled" flag
that was keepi