I'm glad to help. Also, I wrote a post about blocking attacks with active response (including repeated offenders configuration): http://blog.wazuh.com/blocking-attacks-active-response/
I hope you find it interesting. Regards. On Friday, May 20, 2016 at 8:27:38 AM UTC+2, Xavier Mertens wrote: > > Hi Jesus, > It worked much better! Kicking out offenders more and more now :-) > My Google-fu was also better yesterday and I found this blog post: > > https://mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html > > /x > > > On Thu, May 19, 2016 at 10:11 AM, Xavier Mertens <[email protected] > <javascript:>> wrote: > >> Thanks for the tips! I'll test again following your advices... >> >> /x >> >> On Thu, May 19, 2016 at 9:33 AM, Jesus Linares <[email protected] >> <javascript:>> wrote: >> >>> Hi, >>> >>> I guess that your command needs an IP, so if your rule *xxx *doesn't >>> have the field *srcip *extracted (by the proper decoder) the >>> active-response will not work. >>> >>> Also, keep in mind that *repeated_offenders *must be in* ossec.conf* of >>> *every >>> agent* (*shared/agent.conf* or *manager/ossec.conf* are not valid). >>> >>> Regards. >>> >>> On Thursday, May 19, 2016 at 8:42:29 AM UTC+2, Xme wrote: >>>> >>>> Hi *, >>>> >>>> I'm trying to implement a new active-response rule for a specific event >>>> (1 rule ID). >>>> It must be implement with the <repeated_offenders> tag. >>>> >>>> Problem: I've multiple active-response rules matching this event and it >>>> seems that OSSEC picks up the wrong one (repeater offenders are not >>>> applied). >>>> >>>> Any idea to debug this? The rule is: >>>> >>>> <active-response> >>>> <command>firewall-drop-aggressive</command> >>>> <location>local</location> >>>> <timeout>600</timeout> >>>> <rules_id>xxx</rules_id> >>>> <repeated_offenders>30,60,120,240,480</repeated_offenders> >>>> </active-response> >>>> >>>> /x >>>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected] <javascript:>. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
