On Wed, Dec 15, 2010 at 2:51 PM, Kenny - Risco Zero <[email protected]> wrote: > hi > > I just wanna know if it's possible to have different durations for each > level of event, on ossec.conf. > This is the example: > > ####################################################### > > <!-- Active Response Config --> > <active-response> > <!-- This response is going to execute the host-deny > - command for every event that fires a rule with > - level (severity) >= 6. > - The IP is going to be blocked for 3600 seconds. > --> > <command>host-deny</command> > <location>local</location> > <level>6</level> > <timeout>3600</timeout> > </active-response> > > <active-response> > <!-- Firewall Drop response. Block the IP for > - 3600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>local</location> > <level>6</level> > <timeout>3600</timeout> > </active-response> > > <!-- Active Response Config --> > <active-response> > <!-- This response is going to execute the host-deny > - command for every event that fires a rule with > - level (severity) >= 14. > - The IP is going to be blocked for 43200 seconds(6 hours). > --> > <command>host-deny</command> > <location>local</location> > <level>14</level> > <timeout>43200</timeout> > </active-response> > > <active-response> > <!-- Firewall Drop response. Block the IP for > - 43200 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>local</location> > <level>14</level> > <timeout>43200</timeout> > </active-response> > > > ####################################################### > > Thanks, > > -- > Kenny Casagrande | Risco Zero > [email protected] > (54)3028.5005 | www.riscozero.com.br > >
Give it a shot. Might work. I'd think you would need to put the higher level ARs at the top though, since <level>6</level> means 6+. Haven't investigated that though, so I could be way off.
