[ossec-list] Ossec Active-Response stop working after a few days

[Tunguyen]

First, sorry for my bad english.
I'm a newbie and i have used Ossec for about 2 weeks. Last week, active 
response still worked well. But after 2,3 days. I checked the 
/var/logs/auth.log and found that there was a ssh brute force attack from 
an IP to my server. But then i check active-response log and found that 
this IP doesn't got block by firewall-drop.

Here is the active-response config from ossec.conf:
<active-response>
    <location>all</location>
    <rules_id>5712</rules_id>
    <timeout>600</timeout>
    <repeated_offenders>10,20,30</repeated_offenders>
  </active-response>

The rule 5712 remain the same as default in sshh_rules.xml

Here is the auth.log:
Jul  3 08:01:51 ubuntu-server sshd[17502]: Received disconnect from 
114.113.127.178: 11: Bye Bye [preauth]
Jul  3 08:01:54 ubuntu-server sshd[17504]: Received disconnect from 
114.113.127.178: 11: Bye Bye [preauth]
Jul  3 08:01:57 ubuntu-server sshd[17506]: Received disconnect from 
114.113.127.178: 11: Bye Bye [preauth]
Jul  3 08:02:00 ubuntu-server sshd[17508]: Received disconnect from 
114.113.127.178: 11: Bye Bye [preauth]
Jul  3 08:02:02 ubuntu-server sshd[17510]: Received disconnect from 
114.113.127.178: 11: Bye Bye [preauth]
Jul  3 08:02:04 ubuntu-server sshd[17512]: Received disconnect from 
114.113.127.178: 11: Bye Bye [preauth]
Jul  3 08:02:07 ubuntu-server sshd[17514]: Received disconnect from 
114.113.127.178: 11: Bye Bye [preauth]
Jul  3 08:02:10 ubuntu-server sshd[17516]: Received disconnect from 
114.113.127.178: 11: Bye Bye [preauth]
Jul  3 08:02:13 ubuntu-server sshd[17518]: Received disconnect from 
114.113.127.178: 11: Bye Bye [preauth]
Jul  3 08:02:16 ubuntu-server sshd[17520]: Received disconnect from 
114.113.127.178: 11: Bye Bye [preauth]
Jul  3 08:02:18 ubuntu-server sshd[17522]: Received disconnect from 
114.113.127.178: 11: Bye Bye [preauth]

There is about a hundred of these logs all from the same IP, but this IP 
hasn't been blocked. Active-respones log show nothing about blocking this IP
Is there anything happened to the active-response or the ossec? 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.