OK, here what I figured out.
Because I have TWO sections of active response in ossec.conf:
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>100005,100030,100032,100034,100036,100037</rules_id>
<timeout>5600</timeout> <!-- w00t -->
<repeated_offenders>30,60,120</repeated_offenders>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<level>8</level>
<timeout>900</timeout>
<repeated_offenders>30,60,120</repeated_offenders>
</active-response>
In the first one initially I did NOT put the
repeated_offenders because the
timeout is already big. It was just in the second one.
But now with the statement also in the first
AR section, repeated_offenders is recognized and I see it in
ossec.log
Now I have to wait and see if it does the job for the 2nd
AR section. I have to put the special AR section to first place,
otherwise it has no effect.
Thanks, and HTH for others
