Hi Rainer, Can you send your ossec.log? It should show if the repeated offenders started properly or not...
thanks, On Fri, Apr 29, 2011 at 6:21 PM, Rainer <[email protected]> wrote: > Hi, I tried out the repeated_offenders feature > and used > > dcid-ossec-hids-4908b28513b0 > > from bitbucket. Compiled and installed well and worked good as usual. > But the reason why I installed this version was the repeated offenders > feature. So my ossec.conf reads like this: > > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <repeated_offenders>30,60,120</repeated_offenders> > <command>firewall-drop</command> > <location>local</location> > <level>8</level> > <timeout>900</timeout> > </active-response> > > It is a local installation on a single host. > <repeated_offenders> should, as I understand it, block the > offender for 30 minutes the second time he attacks, then for > 60 min. and so on. But it did not work. The offender gets blocked > for 15 minutes every time OSSEC detects an attack. > > sample of a repeated offender: > > grep 208.80.43.202 logs/active-responses.log > Mi 27. Apr 22:08:36 CEST > 2011 /var/ossec/active-response/bin/firewall-drop.sh add - 208.80.43.202 > 1303934916.1215355 31151 > Mi 27. Apr 22:08:36 CEST > 2011 /var/ossec/active-response/bin/host-deny.sh add - 208.80.43.202 > 1303934916.1215355 31151 > Mi 27. Apr 22:23:37 CEST > 2011 /var/ossec/active-response/bin/host-deny.sh delete - 208.80.43.202 > 1303934916.1215355 31151 > Mi 27. Apr 22:23:37 CEST > 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - > 208.80.43.202 1303934916.1215355 31151 > Mi 27. Apr 22:50:19 CEST > 2011 /var/ossec/active-response/bin/firewall-drop.sh add - 208.80.43.202 > 1303937419.1268871 31151 > Mi 27. Apr 22:50:19 CEST > 2011 /var/ossec/active-response/bin/host-deny.sh add - 208.80.43.202 > 1303937419.1268871 31151 > Mi 27. Apr 23:05:20 CEST > 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - > 208.80.43.202 1303937419.1268871 31151 > Mi 27. Apr 23:05:20 CEST > 2011 /var/ossec/active-response/bin/host-deny.sh delete - 208.80.43.202 > 1303937419.1268871 31151 > Mi 27. Apr 23:08:29 CEST > 2011 /var/ossec/active-response/bin/firewall-drop.sh add - 208.80.43.202 > 1303938509.1343102 31151 > Mi 27. Apr 23:08:29 CEST > 2011 /var/ossec/active-response/bin/host-deny.sh add - 208.80.43.202 > 1303938509.1343102 31151 > Mi 27. Apr 23:22:01 CEST > 2011 /var/ossec/active-response/bin/host-deny.sh delete - 208.80.43.202 > 1303938509.1343102 31151 > Mi 27. Apr 23:22:01 CEST > 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - > 208.80.43.202 1303938509.1343102 31151 > Mi 27. Apr 23:29:38 CEST > 2011 /var/ossec/active-response/bin/firewall-drop.sh add - 208.80.43.202 > 1303939778.1360115 31151 > Mi 27. Apr 23:29:38 CEST > 2011 /var/ossec/active-response/bin/host-deny.sh add - 208.80.43.202 > 1303939778.1360115 31151 > Mi 27. Apr 23:46:07 CEST > 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - > 208.80.43.202 1303939778.1360115 31151 > Mi 27. Apr 23:46:07 CEST > 2011 /var/ossec/active-response/bin/host-deny.sh delete - 208.80.43.202 > 1303939778.1360115 31151 > Mi 27. Apr 23:47:37 CEST > 2011 /var/ossec/active-response/bin/host-deny.sh add - 208.80.43.202 > 1303940857.1391571 31151 > Mi 27. Apr 23:47:37 CEST > 2011 /var/ossec/active-response/bin/firewall-drop.sh add - 208.80.43.202 > 1303940857.1391571 31151 > Do 28. Apr 00:02:38 CEST > 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - > 208.80.43.202 1303940857.1391571 31151 > Do 28. Apr 00:02:38 CEST > 2011 /var/ossec/active-response/bin/host-deny.sh delete - 208.80.43.202 > 1303940857.1391571 31151 > Do 28. Apr 00:11:33 CEST > 2011 /var/ossec/active-response/bin/host-deny.sh add - 208.80.43.202 > 1303942293.9783 31151 > Do 28. Apr 00:11:33 CEST > 2011 /var/ossec/active-response/bin/firewall-drop.sh add - 208.80.43.202 > 1303942293.9783 31151 > Do 28. Apr 00:26:34 CEST > 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - > 208.80.43.202 1303942293.9783 31151 > Do 28. Apr 00:26:34 CEST > 2011 /var/ossec/active-response/bin/host-deny.sh delete - 208.80.43.202 > 1303942293.9783 31151 > Do 28. Apr 00:37:19 CEST > 2011 /var/ossec/active-response/bin/firewall-drop.sh add - 208.80.43.202 > 1303943839.30199 31151 > Do 28. Apr 00:37:19 CEST > 2011 /var/ossec/active-response/bin/host-deny.sh add - 208.80.43.202 > 1303943839.30199 31151 > Do 28. Apr 00:52:48 CEST > 2011 /var/ossec/active-response/bin/host-deny.sh delete - 208.80.43.202 > 1303943839.30199 31151 > Do 28. Apr 00:52:48 CEST > 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - > 208.80.43.202 1303943839.30199 31151 > Do 28. Apr 00:52:54 CEST > 2011 /var/ossec/active-response/bin/firewall-drop.sh add - 208.80.43.202 > 1303944774.44727 31151 > Do 28. Apr 00:52:54 CEST > 2011 /var/ossec/active-response/bin/host-deny.sh add - 208.80.43.202 > 1303944774.44727 31151 > Do 28. Apr 01:07:55 CEST > 2011 /var/ossec/active-response/bin/host-deny.sh delete - 208.80.43.202 > 1303944774.44727 31151 > Do 28. Apr 01:07:55 CEST > 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - > 208.80.43.202 1303944774.44727 31151 > Do 28. Apr 01:08:01 CEST > 2011 /var/ossec/active-response/bin/host-deny.sh add - 208.80.43.202 > 1303945681.73773 31151 > Do 28. Apr 01:08:01 CEST > 2011 /var/ossec/active-response/bin/firewall-drop.sh add - 208.80.43.202 > 1303945681.73773 31151 > Do 28. Apr 01:23:02 CEST > 2011 /var/ossec/active-response/bin/host-deny.sh delete - 208.80.43.202 > 1303945681.73773 31151 > Do 28. Apr 01:23:02 CEST > 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - > 208.80.43.202 1303945681.73773 31151 > > The rule that detected the attacks was > Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from > same source ip." > > is this option dead or do I miss something? > > Greets Rainer > > >
