On Mon, Jul 16, 2012 at 2:50 AM, sahil sharma <[email protected]> wrote: > > >> >> Check the frequency documentation: >> http://devio.us/~ddp/ossec/docs/syntax/head_rules.html >> > > Thanks for the information. > >> >> > *2) I want to block the client that has triggered this rule so that he >> > doesn't get chance to login anymore >> > >> > (block the client). How can I do it? I tried adding this rule >> > on >> > "active response" field wih "timeout=600" . >> > >> > I guess then, client should be blocked and not allowed to Login >> > into the client for next 600 sec but the >> > >> > client is immediately able to gain access. (I hope I am getting >> > it >> > right). >> > >> > >> > Please help. >> >> You forgot to include the configuration you tried. Did you restart the >> ossec processes on the ossec server after making this change? Is >> active response enabled on the agent? > > > Yes, I restarted ossec server after making this change and I have enabled > the active response in client-config as well. >
What does that mean? Other than enabling AR, there shouldn't be any configuration necessary on the agents. > In server config ::: > <active-response> > <!-- This response is going to execute the host-deny > - command for every event that fires a rule with > - level (severity) >= 6. > - The IP is going to be blocked for 600 seconds. > --> > <command>host-deny</command> > <location>local</location> > <rules_id>100153</rules_id> > <level>6</level> > <timeout>600</timeout> > </active-response> > > > > In local rules ::: > <rule id="100153" level="10" frequency="2" timeframe="240"> > <if_matched_sid>18106</if_matched_sid> > <description>Multiple window logon failure</description> > </rule> > > > > In agent's config ::: > <active-response> > <disabled>no</disabled> > </active-response> > > > I just want to block a client which triggers this rule "100153", but even > after > multiple logon failure, client is not being blocked for 600seconds. Though, > I can see the alert at the server. > > I hope I am not missing on something. > Please help. You need to make sure the srcip gets decoded properly in rule 18106 for this to work properly. Use ossec-logtest to test it.
