The order of the AR definitions matters. I think it is first match wins.
On Jun 25, 2011 2:34 PM, "Rainer" <[email protected]> wrote:
> Hi,
> I want to have different active-response timeouts depending
> on the fired rules. So I put in my ossec.conf:
>
> <active-response>
> <command>firewall-drop</command>
> <location>local</location>
> <level>8</level>
> <timeout>900</timeout>
> </active-response>
>
> <active-response>
> <command>firewall-drop</command>
> <location>local</location>
> <rules_id>100005,100030,100032,100034,100036,100037</rules_id>
> <timeout>5600</timeout> <!-- w00t -->
> </active-response>
>
> today I had several attacks that fired rule 100037
> (a simple selfmade myphpadmin scanner detector):
> <rule id="100037" level="8">
> <if_sid>31100</if_sid>
> <match>myadmin/scripts</match>
> <description>phpmyadmin scanner</description>
> <group>attacks,</group>
> </rule>
>
> Ossec fired Rule 100037, active response got activated, BUT
> only for 15 minutes and not for 90 Minutes as I expected.
> Is it possible at all to have such a multiple active-response config?
> If yes, why didn't it do the 5600s timeout but instead the 900s?
>
> It's a local installation on ubuntu server. OSSEC 2.5.1
>
> thanks for hints.
>
> Greets
> Rainer
>
>
