Hi,
I want to have different active-response timeouts depending
on the fired rules. So I put in my ossec.conf:
<active-response>
<command>firewall-drop</command>
<location>local</location>
<level>8</level>
<timeout>900</timeout>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>100005,100030,100032,100034,100036,100037</rules_id>
<timeout>5600</timeout> <!-- w00t -->
</active-response>
today I had several attacks that fired rule 100037
(a simple selfmade myphpadmin scanner detector):
<rule id="100037" level="8">
<if_sid>31100</if_sid>
<match>myadmin/scripts</match>
<description>phpmyadmin scanner</description>
<group>attacks,</group>
</rule>
Ossec fired Rule 100037, active response got activated, BUT
only for 15 minutes and not for 90 Minutes as I expected.
Is it possible at all to have such a multiple active-response config?
If yes, why didn't it do the 5600s timeout but instead the 900s?
It's a local installation on ubuntu server. OSSEC 2.5.1
thanks for hints.
Greets
Rainer
