After removing <timeout_allowed>yes</timeout_allowed> and <timeout>7200</timeout> The active response now triggers every time. However this is usually not a problem since I can set up other triggers for removing the block. But I assume that it is not supposed to work in this way, ie if a user is passed on, there will never be more than one blocked at a time for the same rule since the ipadress always is the same "-".
On Saturday, August 17, 2013 3:37:18 PM UTC+2, Per-Erik Persson wrote: > > This is one example rule. > > <rule id="20111" level="8" frequency="1" timeframe="3600" ignore="60"> > <if_matched_sid>20105</if_matched_sid> > <same_user/> > <description>Multiple phishingattempts with known bad > links</description> > </rule> > > <command> > <name>reject-sender</name> > <executable>reject-sender.sh</executable> > <expect>user</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <active-response> > <!-- dummy > --> > <command>reject-sender</command> > <location>defined-agent</location> > <agent_id>032</agent_id> > <level>8</level> > <timeout>7200</timeout> > <rules_id>20110, 20111, 20112, 20117</rules_id> > </active-response> > > After fiddling with the timeout, I found out that the rule can fire as > often as the ignore field allows. > But it will only allow one single user at a time to be fired as an active > response. > I assume that the system is all about ipadresses? > Is there a way around this? > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
