Not for me, but apparently it does for others. On Tuesday, March 12, 2013 11:56:56 AM UTC-4, dan (ddpbsd) wrote: > > > On Mar 12, 2013 11:40 AM, "Martin Gottlieb" > <[email protected]<javascript:>> > wrote: > > > > > > Hello, > > > > I have added the repeated_offenders configuration block to all of my > agents and the server as follows: > > > > <active-response> > > <repeated_offenders>120180240</repeated_offenders> > > </active-response> > > > > When I restart OSSEC on the agent, I do see the messages indicating that > it recognizes the settings: > > > > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 120 > (for #1) > > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 180 > (for #2) > > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 240 > (for #3) > > > > However, I continue to see repeated attacks where the blocking is > deleted after the default 60 minutes each time: > > > > Tue Mar 12 04:02:23 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 > 1363075343.32232753 5720 > > Tue Mar 12 05:02:55 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 > 1363075343.32232753 5720 > > Tue Mar 12 05:45:03 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 > 1363081503.103380375 5712 > > Tue Mar 12 06:46:19 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 > 1363081503.103380375 5712 > > Tue Mar 12 06:47:26 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 > 1363085246.126982032 5712 > > Tue Mar 12 07:48:42 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 > 1363085246.126982032 5712 > > Tue Mar 12 08:02:53 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 > 1363089773.151565087 5712 > > Tue Mar 12 09:04:16 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 > 1363089773.151565087 5712 > > Tue Mar 12 09:05:23 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 > 1363093523.180046077 5712 > > Tue Mar 12 10:06:19 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 > 1363093523.180046077 5712 > > > > The only solution I've seen to this issue is to make sure this is > configured on the agent side, not the server. As I mentioned, I have done > this. > > So this works if you correctly configure this setting on the agent? > > > I am running OSSEC 2.6 on the server and all agents. > > > > Am I missing something? > > > > thanks. > > > > Martin > > > > PS. Sorry if this is a duplicate posting, I tried posting through the > web interface and it didn't show up. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
