Hi!
In my local installation the repated offenders feature is not
working. I had an offender on distinct sites on my server (apache
virtual hosts on one machine) all day, but active response
always worked only with the normal blocking time.
ossec.conf:
<active-response>
<command>firewall-drop</command>
<location>local</location>
<repeated_offenders>30,60,120</repeated_offenders>
<level>8</level>
<timeout>900</timeout>
</active-response>
active-responses.log:
Thu Dec 29 08:21:56 CET
2011 /var/ossec/active-response/bin/firewall-drop.sh add -
75.101.153.254 1325143316.548516 31151
Thu Dec 29 08:37:07 CET
2011 /var/ossec/active-response/bin/firewall-drop.sh delete -
75.101.153.254 1325143316.548516 31151
Thu Dec 29 09:13:34 CET
2011 /var/ossec/active-response/bin/firewall-drop.sh add -
75.101.153.254 1325146414.596145 31151
Thu Dec 29 09:28:35 CET
2011 /var/ossec/active-response/bin/firewall-drop.sh delete -
75.101.153.254 1325146414.596145 31151
Thu Dec 29 09:38:08 CET
2011 /var/ossec/active-response/bin/firewall-drop.sh add -
75.101.153.254 1325147888.615001 31151
Thu Dec 29 09:54:39 CET
2011 /var/ossec/active-response/bin/firewall-drop.sh delete -
75.101.153.254 1325147888.615001 31151
Thu Dec 29 11:18:25 CET
2011 /var/ossec/active-response/bin/firewall-drop.sh add -
75.101.153.254 1325153905.692805 31151
Thu Dec 29 11:33:26 CET
2011 /var/ossec/active-response/bin/firewall-drop.sh delete -
75.101.153.254 1325153905.692805 31151
and so on.
