Ossec and dovecot under attack

[biondi....@gmail.com]

Hi at all,

I have a mailserver with dovecot and I have too failed user.. I'm under attack.. 

I have raise level from 5 to 7 on rules 9705 - I have set to level 6 to trigger active response.

I have noted this.. a postfix rule over 6 level trigger a AR but don't trigger if dovecot rule set..

This is a alert.log from server:

DONT TRIGGER AR

** Alert 1540930722.12072957: mail  - dovecot,invalid_login,authentication_failed,

2018 Oct 30 21:18:42 (xxxx.xxxx.xxx) 10.12.14.36->/var/log/messages

Rule: 9705 (level 7) -> 'Dovecot Invalid User Login Attempt.'

Oct 30 21:18:42 mailscanner04 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<in...@xxxxxx.it>, method=PLAIN, rip=143.255.155.143, lip=10.12.14.36

TRIGGER AR

** Alert 1540931992.12191428: mail  - syslog,postfix,authentication_failed,

2018 Oct 30 21:39:52 (mailscanner04.tech2.it) 10.12.14.36->/var/log/maillog

Rule: 3332 (level 7) -> 'Postfix SASL authentication failure.'

Src IP: 14.169.243.72

Oct 30 21:39:50 mailscanner04 postfix/smtpd[21137]: warning: unknown[14.169.243.72]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Any suggest is appreciate.

Giorgio Biondi