Hi All, Is there a way to make OSSEC extend the Active Response timeout of 600 sec if it detects the SAME IP continuing to hammer the server after already being removed the first time.
Eg: Here we have 81.208.15.156 continually trying to FTP in with the user Administrator using some dictionary attack. OSSEC detects this and bans them for 10 mins. When the IP is removed, the dictionary attack continues and they end up being banned again. On the second detection, can we add some smarts to OSSEC's Active Response and ban them for a longer period??? Thu May 6 13:08:03 EST 2010 /usr/local/ossec/active-response/bin/ firewall-drop.sh add - 81.208.15.156 1273115275.2479428 100004 Thu May 6 13:08:03 EST 2010 /usr/local/ossec/active-response/bin/host- deny.sh add - 81.208.15.156 1273115275.2479428 100004 Thu May 6 13:18:33 EST 2010 /usr/local/ossec/active-response/bin/host- deny.sh delete - 81.208.15.156 1273115275.2479428 100004 Thu May 6 13:18:33 EST 2010 /usr/local/ossec/active-response/bin/ firewall-drop.sh delete - 81.208.15.156 1273115275.2479428 100004 Thu May 6 13:23:44 EST 2010 /usr/local/ossec/active-response/bin/ firewall-drop.sh add - 81.208.15.156 1273116216.3236494 100004 Thu May 6 13:23:44 EST 2010 /usr/local/ossec/active-response/bin/host- deny.sh add - 81.208.15.156 1273116216.3236494 100004 Thanks. Andy
