Does the repeated offenders option get recognized? (you should see messages about it in ossec.log) What version of OSSEC? What platform?
On Thu, Dec 29, 2011 at 3:58 PM, Rainer <[email protected]> wrote: > Hi! > > In my local installation the repated offenders feature is not > working. I had an offender on distinct sites on my server (apache > virtual hosts on one machine) all day, but active response > always worked only with the normal blocking time. > > ossec.conf: > <active-response> > <command>firewall-drop</command> > <location>local</location> > <repeated_offenders>30,60,120</repeated_offenders> > <level>8</level> > <timeout>900</timeout> > </active-response> > > active-responses.log: > Thu Dec 29 08:21:56 CET > 2011 /var/ossec/active-response/bin/firewall-drop.sh add - > 75.101.153.254 1325143316.548516 31151 > Thu Dec 29 08:37:07 CET > 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - > 75.101.153.254 1325143316.548516 31151 > Thu Dec 29 09:13:34 CET > 2011 /var/ossec/active-response/bin/firewall-drop.sh add - > 75.101.153.254 1325146414.596145 31151 > Thu Dec 29 09:28:35 CET > 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - > 75.101.153.254 1325146414.596145 31151 > Thu Dec 29 09:38:08 CET > 2011 /var/ossec/active-response/bin/firewall-drop.sh add - > 75.101.153.254 1325147888.615001 31151 > Thu Dec 29 09:54:39 CET > 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - > 75.101.153.254 1325147888.615001 31151 > Thu Dec 29 11:18:25 CET > 2011 /var/ossec/active-response/bin/firewall-drop.sh add - > 75.101.153.254 1325153905.692805 31151 > Thu Dec 29 11:33:26 CET > 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - > 75.101.153.254 1325153905.692805 31151 > and so on. >
