On Tue, Mar 12, 2013 at 2:10 PM, Martin G <[email protected]> wrote: > > Not for me, but apparently it does for others. >
I don't really have any troubleshooting tips for this. You could possibly add some debugging code to figure it out, but I don't know where to start. > On Tuesday, March 12, 2013 11:56:56 AM UTC-4, dan (ddpbsd) wrote: >> >> >> On Mar 12, 2013 11:40 AM, "Martin Gottlieb" <[email protected]> wrote: >> > >> > >> > Hello, >> > >> > I have added the repeated_offenders configuration block to all of my >> > agents and the server as follows: >> > >> > <active-response> >> > <repeated_offenders>120180240</repeated_offenders> >> > </active-response> >> > >> > When I restart OSSEC on the agent, I do see the messages indicating that >> > it recognizes the settings: >> > >> > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 120 >> > (for #1) >> > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 180 >> > (for #2) >> > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 240 >> > (for #3) >> > >> > However, I continue to see repeated attacks where the blocking is >> > deleted after the default 60 minutes each time: >> > >> > Tue Mar 12 04:02:23 EDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 >> > 1363075343.32232753 5720 >> > Tue Mar 12 05:02:55 EDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 >> > 1363075343.32232753 5720 >> > Tue Mar 12 05:45:03 EDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 >> > 1363081503.103380375 5712 >> > Tue Mar 12 06:46:19 EDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 >> > 1363081503.103380375 5712 >> > Tue Mar 12 06:47:26 EDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 >> > 1363085246.126982032 5712 >> > Tue Mar 12 07:48:42 EDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 >> > 1363085246.126982032 5712 >> > Tue Mar 12 08:02:53 EDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 >> > 1363089773.151565087 5712 >> > Tue Mar 12 09:04:16 EDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 >> > 1363089773.151565087 5712 >> > Tue Mar 12 09:05:23 EDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 >> > 1363093523.180046077 5712 >> > Tue Mar 12 10:06:19 EDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 >> > 1363093523.180046077 5712 >> > >> > The only solution I've seen to this issue is to make sure this is >> > configured on the agent side, not the server. As I mentioned, I have done >> > this. >> >> So this works if you correctly configure this setting on the agent? >> >> > I am running OSSEC 2.6 on the server and all agents. >> > >> > Am I missing something? >> > >> > thanks. >> > >> > Martin >> > >> > PS. Sorry if this is a duplicate posting, I tried posting through the >> > web interface and it didn't show up. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
