Giorgio Biondi
2018-10-31 11:48:00 UTC
Hi at all,
I have some entry in log on the my mailserver (with installed ossec agent)
like this:
Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth
failed, 1 attempts): user=<***@caccabee.it>, method=PLAIN,
rip=222.252.6.70, lip=10.12.14.36
and my ossec server in the alert.log say:
Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth
failed, 1 attempts): user=<***@caccabee.it>, method=PLAIN,
rip=222.252.6.70, lip=10.12.14.36
** Alert 1540983795.5645464: mail -
dovecot,invalid_login,authentication_failed,
2018 Oct 31 12:03:15 (mailscanner04.tech2.it) 10.12.14.36->/var/log/messages
Rule: 9705 (level 7) -> 'Dovecot Invalid User Login Attempt.'
Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth
failed, 1 attempts): user=<***@caccabee.it>, method=PLAIN,
rip=222.252.6.70, lip=10.12.14.36
The problem is: rules 9705 in the dovecot rules have level 7 and in my
ossec.conf all rules over level 6 trigger a active response.. but not for
'dovecot'.. I don't understand why..
All AR working fine for ALL other rule.. http and smtp.. only for dovecot
don't trigger a active response..
Any suggest are appreciate.
Giorgio Biondi
I have some entry in log on the my mailserver (with installed ossec agent)
like this:
Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth
failed, 1 attempts): user=<***@caccabee.it>, method=PLAIN,
rip=222.252.6.70, lip=10.12.14.36
and my ossec server in the alert.log say:
Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth
failed, 1 attempts): user=<***@caccabee.it>, method=PLAIN,
rip=222.252.6.70, lip=10.12.14.36
** Alert 1540983795.5645464: mail -
dovecot,invalid_login,authentication_failed,
2018 Oct 31 12:03:15 (mailscanner04.tech2.it) 10.12.14.36->/var/log/messages
Rule: 9705 (level 7) -> 'Dovecot Invalid User Login Attempt.'
Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth
failed, 1 attempts): user=<***@caccabee.it>, method=PLAIN,
rip=222.252.6.70, lip=10.12.14.36
The problem is: rules 9705 in the dovecot rules have level 7 and in my
ossec.conf all rules over level 6 trigger a active response.. but not for
'dovecot'.. I don't understand why..
All AR working fine for ALL other rule.. http and smtp.. only for dovecot
don't trigger a active response..
Any suggest are appreciate.
Giorgio Biondi
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.