On 03/28/2011 01:47 PM, dan (ddp) wrote: > The units are seconds. > How far apart were the attacks? > > On Sun, Mar 27, 2011 at 12:31 PM, Steven Stern > <[email protected]> wrote: >> I just want to confirm.... In an active response rule, is the timeout >> value the number seconds? >> >> I had someone whacking my website today looking for mysql access and the >> rule triggered three times (on the same IP address) in two minutes. The >> first trigger should have locked out his IP for "360" -- my assumption >> is that is 6 minutes, long enough for the script to time out and move on >> to someone else. >> >> >> -- >> -- Steve >>
They were all within two minutes. I've added some logging to the drop script so I can see exactly when it gets triggered. In my testing, I managed to lock myself out of the server for 6 minutes, so I know it works. <smile> -- -- Steve
