Rainer, also try putting the <repeated_offenders> block in its own section (i.e. not part of the actual active responses). So take it out of both, and put it once it its own <active-response> block.
A few of us have had trouble with this feature. It does work...always just been a question of which config to put it in and how to put it there. Dan - It is probably asking a lot, but would it be possible to have the "number of the offense" logged in the active-response.log? Just something like (2nd offense). If that's a douchy request, kindly disregard. It is still possible for us to test it using the tools available to us, albeit in a little more round-about way. ----- Original Message ----- From: "Rainer" <[email protected]> To: [email protected] Sent: Thursday, December 29, 2011 5:49:01 PM Subject: Re: [ossec-list] ossec 2.6 repeated offenders not working OK, here what I figured out. Because I have TWO sections of active response in ossec.conf: <active-response> <command>firewall-drop</command> <location>local</location> <rules_id>100005,100030,100032,100034,100036,100037</rules_id> <timeout>5600</timeout> <!-- w00t --> <repeated_offenders>30,60,120</repeated_offenders> </active-response> <active-response> <command>firewall-drop</command> <location>local</location> <level>8</level> <timeout>900</timeout> <repeated_offenders>30,60,120</repeated_offenders> </active-response> In the first one initially I did NOT put the repeated_offenders because the timeout is already big. It was just in the second one. But now with the statement also in the first AR section, repeated_offenders is recognized and I see it in ossec.log Now I have to wait and see if it does the job for the 2nd AR section. I have to put the special AR section to first place, otherwise it has no effect. Thanks, and HTH for others
