Hi Jesus,
It worked much better! Kicking out offenders more and more now :-)
My Google-fu was also better yesterday and I found this blog post:
https://mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html

/x


On Thu, May 19, 2016 at 10:11 AM, Xavier Mertens <[email protected]>
wrote:

> Thanks for the tips! I'll test again following your advices...
>
> /x
>
> On Thu, May 19, 2016 at 9:33 AM, Jesus Linares <[email protected]> wrote:
>
>> Hi,
>>
>> I guess that your command needs an IP, so if your rule *xxx *doesn't
>> have the field *srcip *extracted (by the proper decoder) the
>> active-response will not work.
>>
>> Also, keep in mind that *repeated_offenders *must be in* ossec.conf* of 
>> *every
>> agent* (*shared/agent.conf* or *manager/ossec.conf* are not valid).
>>
>> Regards.
>>
>> On Thursday, May 19, 2016 at 8:42:29 AM UTC+2, Xme wrote:
>>>
>>> Hi *,
>>>
>>> I'm trying to implement a new active-response rule for a specific event
>>> (1 rule ID).
>>> It must be implement with the <repeated_offenders> tag.
>>>
>>> Problem: I've multiple active-response rules matching this event and it
>>> seems that OSSEC picks up the wrong one (repeater offenders are not
>>> applied).
>>>
>>> Any idea to debug this? The rule is:
>>>
>>> <active-response>
>>>     <command>firewall-drop-aggressive</command>
>>>     <location>local</location>
>>>     <timeout>600</timeout>
>>>     <rules_id>xxx</rules_id>
>>>     <repeated_offenders>30,60,120,240,480</repeated_offenders>
>>>   </active-response>
>>>
>>> /x
>>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to