Hi Jesus, It worked much better! Kicking out offenders more and more now :-) My Google-fu was also better yesterday and I found this blog post: https://mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html
/x On Thu, May 19, 2016 at 10:11 AM, Xavier Mertens <[email protected]> wrote: > Thanks for the tips! I'll test again following your advices... > > /x > > On Thu, May 19, 2016 at 9:33 AM, Jesus Linares <[email protected]> wrote: > >> Hi, >> >> I guess that your command needs an IP, so if your rule *xxx *doesn't >> have the field *srcip *extracted (by the proper decoder) the >> active-response will not work. >> >> Also, keep in mind that *repeated_offenders *must be in* ossec.conf* of >> *every >> agent* (*shared/agent.conf* or *manager/ossec.conf* are not valid). >> >> Regards. >> >> On Thursday, May 19, 2016 at 8:42:29 AM UTC+2, Xme wrote: >>> >>> Hi *, >>> >>> I'm trying to implement a new active-response rule for a specific event >>> (1 rule ID). >>> It must be implement with the <repeated_offenders> tag. >>> >>> Problem: I've multiple active-response rules matching this event and it >>> seems that OSSEC picks up the wrong one (repeater offenders are not >>> applied). >>> >>> Any idea to debug this? The rule is: >>> >>> <active-response> >>> <command>firewall-drop-aggressive</command> >>> <location>local</location> >>> <timeout>600</timeout> >>> <rules_id>xxx</rules_id> >>> <repeated_offenders>30,60,120,240,480</repeated_offenders> >>> </active-response> >>> >>> /x >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
