Hi, I tried out the repeated_offenders feature
and used
dcid-ossec-hids-4908b28513b0
from bitbucket. Compiled and installed well and worked good as usual.
But the reason why I installed this version was the repeated offenders
feature. So my ossec.conf reads like this:
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<repeated_offenders>30,60,120</repeated_offenders>
<command>firewall-drop</command>
<location>local</location>
<level>8</level>
<timeout>900</timeout>
</active-response>
It is a local installation on a single host.
<repeated_offenders> should, as I understand it, block the
offender for 30 minutes the second time he attacks, then for
60 min. and so on. But it did not work. The offender gets blocked
for 15 minutes every time OSSEC detects an attack.
sample of a repeated offender:
grep 208.80.43.202 logs/active-responses.log
Mi 27. Apr 22:08:36 CEST
2011 /var/ossec/active-response/bin/firewall-drop.sh add - 208.80.43.202
1303934916.1215355 31151
Mi 27. Apr 22:08:36 CEST
2011 /var/ossec/active-response/bin/host-deny.sh add - 208.80.43.202
1303934916.1215355 31151
Mi 27. Apr 22:23:37 CEST
2011 /var/ossec/active-response/bin/host-deny.sh delete - 208.80.43.202
1303934916.1215355 31151
Mi 27. Apr 22:23:37 CEST
2011 /var/ossec/active-response/bin/firewall-drop.sh delete -
208.80.43.202 1303934916.1215355 31151
Mi 27. Apr 22:50:19 CEST
2011 /var/ossec/active-response/bin/firewall-drop.sh add - 208.80.43.202
1303937419.1268871 31151
Mi 27. Apr 22:50:19 CEST
2011 /var/ossec/active-response/bin/host-deny.sh add - 208.80.43.202
1303937419.1268871 31151
Mi 27. Apr 23:05:20 CEST
2011 /var/ossec/active-response/bin/firewall-drop.sh delete -
208.80.43.202 1303937419.1268871 31151
Mi 27. Apr 23:05:20 CEST
2011 /var/ossec/active-response/bin/host-deny.sh delete - 208.80.43.202
1303937419.1268871 31151
Mi 27. Apr 23:08:29 CEST
2011 /var/ossec/active-response/bin/firewall-drop.sh add - 208.80.43.202
1303938509.1343102 31151
Mi 27. Apr 23:08:29 CEST
2011 /var/ossec/active-response/bin/host-deny.sh add - 208.80.43.202
1303938509.1343102 31151
Mi 27. Apr 23:22:01 CEST
2011 /var/ossec/active-response/bin/host-deny.sh delete - 208.80.43.202
1303938509.1343102 31151
Mi 27. Apr 23:22:01 CEST
2011 /var/ossec/active-response/bin/firewall-drop.sh delete -
208.80.43.202 1303938509.1343102 31151
Mi 27. Apr 23:29:38 CEST
2011 /var/ossec/active-response/bin/firewall-drop.sh add - 208.80.43.202
1303939778.1360115 31151
Mi 27. Apr 23:29:38 CEST
2011 /var/ossec/active-response/bin/host-deny.sh add - 208.80.43.202
1303939778.1360115 31151
Mi 27. Apr 23:46:07 CEST
2011 /var/ossec/active-response/bin/firewall-drop.sh delete -
208.80.43.202 1303939778.1360115 31151
Mi 27. Apr 23:46:07 CEST
2011 /var/ossec/active-response/bin/host-deny.sh delete - 208.80.43.202
1303939778.1360115 31151
Mi 27. Apr 23:47:37 CEST
2011 /var/ossec/active-response/bin/host-deny.sh add - 208.80.43.202
1303940857.1391571 31151
Mi 27. Apr 23:47:37 CEST
2011 /var/ossec/active-response/bin/firewall-drop.sh add - 208.80.43.202
1303940857.1391571 31151
Do 28. Apr 00:02:38 CEST
2011 /var/ossec/active-response/bin/firewall-drop.sh delete -
208.80.43.202 1303940857.1391571 31151
Do 28. Apr 00:02:38 CEST
2011 /var/ossec/active-response/bin/host-deny.sh delete - 208.80.43.202
1303940857.1391571 31151
Do 28. Apr 00:11:33 CEST
2011 /var/ossec/active-response/bin/host-deny.sh add - 208.80.43.202
1303942293.9783 31151
Do 28. Apr 00:11:33 CEST
2011 /var/ossec/active-response/bin/firewall-drop.sh add - 208.80.43.202
1303942293.9783 31151
Do 28. Apr 00:26:34 CEST
2011 /var/ossec/active-response/bin/firewall-drop.sh delete -
208.80.43.202 1303942293.9783 31151
Do 28. Apr 00:26:34 CEST
2011 /var/ossec/active-response/bin/host-deny.sh delete - 208.80.43.202
1303942293.9783 31151
Do 28. Apr 00:37:19 CEST
2011 /var/ossec/active-response/bin/firewall-drop.sh add - 208.80.43.202
1303943839.30199 31151
Do 28. Apr 00:37:19 CEST
2011 /var/ossec/active-response/bin/host-deny.sh add - 208.80.43.202
1303943839.30199 31151
Do 28. Apr 00:52:48 CEST
2011 /var/ossec/active-response/bin/host-deny.sh delete - 208.80.43.202
1303943839.30199 31151
Do 28. Apr 00:52:48 CEST
2011 /var/ossec/active-response/bin/firewall-drop.sh delete -
208.80.43.202 1303943839.30199 31151
Do 28. Apr 00:52:54 CEST
2011 /var/ossec/active-response/bin/firewall-drop.sh add - 208.80.43.202
1303944774.44727 31151
Do 28. Apr 00:52:54 CEST
2011 /var/ossec/active-response/bin/host-deny.sh add - 208.80.43.202
1303944774.44727 31151
Do 28. Apr 01:07:55 CEST
2011 /var/ossec/active-response/bin/host-deny.sh delete - 208.80.43.202
1303944774.44727 31151
Do 28. Apr 01:07:55 CEST
2011 /var/ossec/active-response/bin/firewall-drop.sh delete -
208.80.43.202 1303944774.44727 31151
Do 28. Apr 01:08:01 CEST
2011 /var/ossec/active-response/bin/host-deny.sh add - 208.80.43.202
1303945681.73773 31151
Do 28. Apr 01:08:01 CEST
2011 /var/ossec/active-response/bin/firewall-drop.sh add - 208.80.43.202
1303945681.73773 31151
Do 28. Apr 01:23:02 CEST
2011 /var/ossec/active-response/bin/host-deny.sh delete - 208.80.43.202
1303945681.73773 31151
Do 28. Apr 01:23:02 CEST
2011 /var/ossec/active-response/bin/firewall-drop.sh delete -
208.80.43.202 1303945681.73773 31151
The rule that detected the attacks was
Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from
same source ip."
is this option dead or do I miss something?
Greets Rainer
