[ossec-list] repeated_offenders not working

Sun, 15 Jul 2012 16:56:24 -0700 

Repeated offenders tag in active response doesn't seem to be working.  Do
the agents need to be upgraded for repeated offenders to work?

   - ossec server 2.6.0
   - ossec agent 2.5.1


 <active-response>
    <disabled>no</disabled>
    <command>firewall-drop</command>
    <!-- local means on the server that had the event; e.g.,
lan.web.truepath.com -->
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
     <!-- block 1 hr, 1 day, 1 week on repeated offenses -->
    <repeated_offenders>60,1440,10080</repeated_offenders>
  </active-response>

log of the agent shows:

[root@mail3 ~]# cat /var/ossec/logs/active-responses.log
Sun Jul 15 09:42:09 PDT 2012
/var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36
1342370529.17815356 9952
Sun Jul 15 09:52:39 PDT 2012
/var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36
1342370529.17815356 9952
Sun Jul 15 11:00:32 PDT 2012
/var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36
1342375232.20150806 9952
Sun Jul 15 11:11:02 PDT 2012
/var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36
1342375232.20150806 9952
Sun Jul 15 11:23:28 PDT 2012
/var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36
1342376608.20831211 9952
Sun Jul 15 11:33:58 PDT 2012
/var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36
1342376608.20831211 9952
Sun Jul 15 11:38:41 PDT 2012
/var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36
1342377521.21301498 9952
Sun Jul 15 11:49:11 PDT 2012
/var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36
1342377521.21301498 9952
Sun Jul 15 13:26:21 PDT 2012
/var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36
1342383981.24654764 9952
Sun Jul 15 13:36:51 PDT 2012
/var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36
1342383981.24654764 9952
Sun Jul 15 15:37:36 PDT 2012
/var/ossec/active-response/bin/firewall-drop.sh add - 110.186.220.231
1342391856.28661211 9952



-- 
Gil Vidals

CONFIDENTIALITY NOTICE: The information contained in this transmission may
contain privileged and confidential information.  It is intended only for
the use of the person(s) named above.  If you are not the intended
recipient, please contact the sender by reply email and permanently delete
the original message.

Reply via email to