[ossec-list] Repeated Offenders not triggering

Martin G Tue, 12 Mar 2013 08:18:52 -0700

I am running an agent/server configuration of OSSEC.  I have added the 
repeated offenders configuration block to all of my agents and the server 
as follows:


  <active-response>
        <repeated_offenders>120,180,240</repeated_offenders>
  </active-response>


When I restart OSSEC, I do see the messages indicating that it recognizes 
the settings:

2013/03/12 10:05:50 ossec-execd: INFO: Adding offenders timeout: 120 (for 
#1)
2013/03/12 10:05:50 ossec-execd: INFO: Adding offenders timeout: 180 (for 
#2)
2013/03/12 10:05:50 ossec-execd: INFO: Adding offenders timeout: 240 (for 
#3)

However, I continue to see repeated attacks that are coming back every 
hour, or rather, the blocking is deleted after one hour each time:

Tue Mar 12 04:02:23 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363075343.32232753 5720
Tue Mar 12 05:02:55 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
1363075343.32232753 5720
Tue Mar 12 05:45:03 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363081503.103380375 5712
Tue Mar 12 06:46:19 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
1363081503.103380375 5712
Tue Mar 12 06:47:26 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363085246.126982032 5712
Tue Mar 12 07:48:42 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
1363085246.126982032 5712
Tue Mar 12 08:02:53 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363089773.151565087 5712
Tue Mar 12 09:04:16 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
1363089773.151565087 5712
Tue Mar 12 09:05:23 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363093523.180046077 5712
Tue Mar 12 10:06:29 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363097189.212231955 5712

I am running OSSEC version 2.6 on all machines.

The only answer I've seen to this issue is to make sure it is configured on 
the agent side but, as I mentioned, I am already doing that.

Am I missing something?

Thanks.

Martin

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] Repeated Offenders not triggering

Reply via email to