Sorry for the 'spam' hehe, just checked my configuration once more and the active response section you refer to is that the original response setting? Make sure to have the following within your ossec.conf (server side):
<active-response> <!-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). --> <command>firewall-drop</command> <location>all</location> <level>6</level> <timeout>600</timeout> <repeated_offenders>30,60,120,240,480</repeated_offenders> </active-response> <active-response> <command>firewall-drop</command> <location>all</location> <rules_id>100101</rules_id> </active-response> Den måndag 3 juli 2017 kl. 12:15:08 UTC+2 skrev Fredrik Hilmersson: > > ossec.conf on the AGENT side, forgot to mention! > > Den måndag 3 juli 2017 kl. 12:14:30 UTC+2 skrev Fredrik Hilmersson: >> >> Hey, I had a similar issue with the active response not working as >> intended. The way I solved it was to add the following to the ossec.conf >> >> <ossec_config> >> >> <client> >> >> <server-ip>ossec-server</server-ip> >> >> </client> >> >> <active-response> >> >> <repeated_offenders>30,60,120,240,480</repeated_offenders> >> >> </active-response> >> >> <global> >> >> <email_notification>no</email_notification> >> >> </global> >> >> kind regards, >> Fredrik >> >> Den måndag 3 juli 2017 kl. 12:05:36 UTC+2 skrev Tunguyen: >>> >>> My rule fired, i received alert emails too. But active-response doesn't >>> work. >>> >>> Here is my active-response config in ossec.conf: >>> >>> <active-response> >>> <command>firewall-drop</command> >>> <location>all</location> >>> <rules_id>100101</rules_id> >>> <timeout>600</timeout> >>> </active-response> >>> >>> Here is my email alert: >>> >>> Received From: ubuntu-server->/var/log/nginx/access.log Rule: 100101 >>> fired (level 9) -> “Multiple access in a short time from same IP” Portion >>> of the log(s): >>> >>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:27 +0700] “GET / >>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) >>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >>> >>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:26 +0700] “GET / >>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) >>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >>> >>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / >>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) >>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >>> >>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / >>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) >>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >>> >>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:24 +0700] “GET / >>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) >>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >>> >>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / >>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) >>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >>> >>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / >>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) >>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >>> >>> >>> After receiving this alert message, my IP hasn't been blocked and I >>> still can send bunch of requests to the server. And when i checked >>> /var/ossec/logs/active-responses.log, it was empty. No IP has been block. >>> Can someone explain please? >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
