Hi, in the agent you must to enable active-response:
<active-response><disabled>no</disabled></active-response> Then, restart the agent, generate the 100101 rule, and check out the *active-response.log* of the agent. I hope it helps. On Tuesday, July 4, 2017 at 4:26:27 AM UTC+2, Tunguyen wrote: > > I've checked the ossec.conf on server side and agent side, those are all > the same as yours > Here is the agent side: > <active-response> > <repeated_offenders>20,40,60</repeated_offenders> > </active-response> > > And the server side is same as above, except that i add > <repeated_offenders> like this: > <active-response> > <command> firewall-drop </ command> > <location> all </ location> > <rules_id> 100101 </ rules_id> > <time-out> 600 </ timeout> > <repeated_offenders>20,40,60</repeated_offenders> > </ active-response> > > But the response still doesn't work. > Hmm active-response used to work well, but after a day without changing > anything, it doesn't work anymore :( > > On Monday, July 3, 2017 at 5:20:35 PM UTC+7, Fredrik Hilmersson wrote: >> >> Sorry for the 'spam' hehe, just checked my configuration once more and >> the active response section you refer to is that the original response >> setting? Make sure to have the following within your ossec.conf (server >> side): >> >> <active-response> >> >> <!-- Firewall Drop response. Block the IP for >> >> - 600 seconds on the firewall (iptables, >> >> - ipfilter, etc). >> >> --> >> >> <command>firewall-drop</command> >> >> <location>all</location> >> >> <level>6</level> >> >> <timeout>600</timeout> >> >> <repeated_offenders>30,60,120,240,480</repeated_offenders> >> >> </active-response> >> >> <active-response> >> >> <command>firewall-drop</command> >> >> <location>all</location> >> >> <rules_id>100101</rules_id> >> >> </active-response> >> >> >> >> >> Den måndag 3 juli 2017 kl. 12:15:08 UTC+2 skrev Fredrik Hilmersson: >>> >>> ossec.conf on the AGENT side, forgot to mention! >>> >>> Den måndag 3 juli 2017 kl. 12:14:30 UTC+2 skrev Fredrik Hilmersson: >>>> >>>> Hey, I had a similar issue with the active response not working as >>>> intended. The way I solved it was to add the following to the ossec.conf >>>> >>>> <ossec_config> >>>> >>>> <client> >>>> >>>> <server-ip>ossec-server</server-ip> >>>> >>>> </client> >>>> >>>> <active-response> >>>> >>>> <repeated_offenders>30,60,120,240,480</repeated_offenders> >>>> >>>> </active-response> >>>> >>>> <global> >>>> >>>> <email_notification>no</email_notification> >>>> >>>> </global> >>>> >>>> kind regards, >>>> Fredrik >>>> >>>> Den måndag 3 juli 2017 kl. 12:05:36 UTC+2 skrev Tunguyen: >>>>> >>>>> My rule fired, i received alert emails too. But active-response >>>>> doesn't work. >>>>> >>>>> Here is my active-response config in ossec.conf: >>>>> >>>>> <active-response> >>>>> <command>firewall-drop</command> >>>>> <location>all</location> >>>>> <rules_id>100101</rules_id> >>>>> <timeout>600</timeout> >>>>> </active-response> >>>>> >>>>> Here is my email alert: >>>>> >>>>> Received From: ubuntu-server->/var/log/nginx/access.log Rule: 100101 >>>>> fired (level 9) -> “Multiple access in a short time from same IP” Portion >>>>> of the log(s): >>>>> >>>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:27 +0700] “GET / >>>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) >>>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 >>>>> Safari/537.36” >>>>> >>>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:26 +0700] “GET / >>>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) >>>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 >>>>> Safari/537.36” >>>>> >>>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / >>>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) >>>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 >>>>> Safari/537.36” >>>>> >>>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / >>>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) >>>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 >>>>> Safari/537.36” >>>>> >>>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:24 +0700] “GET / >>>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) >>>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 >>>>> Safari/537.36” >>>>> >>>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / >>>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) >>>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 >>>>> Safari/537.36” >>>>> >>>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / >>>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) >>>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >>>>> >>>>> >>>>> After receiving this alert message, my IP hasn't been blocked and I >>>>> still can send bunch of requests to the server. And when i checked >>>>> /var/ossec/logs/active-responses.log, it was empty. No IP has been block. >>>>> Can someone explain please? >>>>> >>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
