[ossec-list] repeated_offenders not working

[Martin Gottlieb]

Hello,
I have added the repeated_offenders configuration block to all of my 
agents and the server as follows:

<active-response>
    <repeated_offenders>120180240</repeated_offenders>
</active-response>

When I restart OSSEC on the agent, I do see the messages indicating that 
it recognizes the settings:

2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 120 
(for #1)
2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 180 
(for #2)
2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 240 
(for #3)

However, I continue to see repeated attacks where the blocking is 
deleted after the default 60 minutes each time:

Tue Mar 12 04:02:23 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363075343.32232753 5720
Tue Mar 12 05:02:55 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
1363075343.32232753 5720
Tue Mar 12 05:45:03 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363081503.103380375 5712
Tue Mar 12 06:46:19 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
1363081503.103380375 5712
Tue Mar 12 06:47:26 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363085246.126982032 5712
Tue Mar 12 07:48:42 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
1363085246.126982032 5712
Tue Mar 12 08:02:53 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363089773.151565087 5712
Tue Mar 12 09:04:16 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
1363089773.151565087 5712
Tue Mar 12 09:05:23 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363093523.180046077 5712
Tue Mar 12 10:06:19 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
1363093523.180046077 5712

The only solution I've seen to this issue is to make sure this is 
configured on the agent side, not the server.  As I mentioned, I have 
done this.
I am running OSSEC 2.6 on the server and all agents.

Am I missing something?

thanks.

Martin

PS.  Sorry if this is a duplicate posting, I tried posting through the 
web interface and it didn't show up.

--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.