Apparently <repeated_offenders> must be added to the ossec.conf in the agents (not the server). I'll upgrade the agents to 2.6 and then add the <repeated_offenders> to the conf and see if that solves it.
Gil Vidals On Sun, Jul 15, 2012 at 4:55 PM, Gil Vidals <[email protected]> wrote: > Repeated offenders tag in active response doesn't seem to be working. Do > the agents need to be upgraded for repeated offenders to work? > > - ossec server 2.6.0 > - ossec agent 2.5.1 > > > <active-response> > <disabled>no</disabled> > <command>firewall-drop</command> > <!-- local means on the server that had the event; e.g., > lan.web.truepath.com --> > <location>local</location> > <level>6</level> > <timeout>600</timeout> > <!-- block 1 hr, 1 day, 1 week on repeated offenses --> > <repeated_offenders>60,1440,10080</repeated_offenders> > </active-response> > > log of the agent shows: > > [root@mail3 ~]# cat /var/ossec/logs/active-responses.log > Sun Jul 15 09:42:09 PDT 2012 > /var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36 > 1342370529.17815356 9952 > Sun Jul 15 09:52:39 PDT 2012 > /var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36 > 1342370529.17815356 9952 > Sun Jul 15 11:00:32 PDT 2012 > /var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36 > 1342375232.20150806 9952 > Sun Jul 15 11:11:02 PDT 2012 > /var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36 > 1342375232.20150806 9952 > Sun Jul 15 11:23:28 PDT 2012 > /var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36 > 1342376608.20831211 9952 > Sun Jul 15 11:33:58 PDT 2012 > /var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36 > 1342376608.20831211 9952 > Sun Jul 15 11:38:41 PDT 2012 > /var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36 > 1342377521.21301498 9952 > Sun Jul 15 11:49:11 PDT 2012 > /var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36 > 1342377521.21301498 9952 > Sun Jul 15 13:26:21 PDT 2012 > /var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36 > 1342383981.24654764 9952 > Sun Jul 15 13:36:51 PDT 2012 > /var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36 > 1342383981.24654764 9952 > Sun Jul 15 15:37:36 PDT 2012 > /var/ossec/active-response/bin/firewall-drop.sh add - 110.186.220.231 > 1342391856.28661211 9952 > > > > -- > Gil Vidals > > CONFIDENTIALITY NOTICE: The information contained in this transmission may > contain privileged and confidential information. It is intended only for > the use of the person(s) named above. If you are not the intended > recipient, please contact the sender by reply email and permanently delete > the original message. > > -- Gil Vidals CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message.
