On Wed, Jul 5, 2017 at 12:52 AM, Tunguyen <tu.nguyenanh...@gmail.com> wrote: > Hi everyone, here is my ossec.conf on the server: > > <active-response> > <!-- Block Multiple SQL Injection from same IP --> > <command>firewall-drop</command> > <location>server,all</location> > <rules_id>31152</rules_id> > <timeout>600</timeout> > <repeated_offenders>30,60,90,120,150</repeated_offenders> > </active-response> > > rule 31152 is: > > <rule id="31152" level="10" frequency="6" timeframe="120"> > <if_matched_sid>31103</if_matched_sid> > <same_source_ip /> > <description>Multiple SQL injection attempts from same </description> > <description>souce ip.</description> > <group>attack,sql_injection,</group> > </rule> > > After i tried to SQL injection to the agent using agent IP address, the rule > 31152 fired, i still can connect to the agent IP, but i can't connect to the > server IP, and i found out that i was blocked away from the server IP. If i > change <location>server, all</location> into <location>all<location>, i was > not blocked anymore by either server or agent. So are there anything > happened to my config? >
I don't think that option can accept multiple locations. Use 2 active-response configurations, one for the server and the other for all. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.