I'm glad to help. Also, I wrote a post about blocking attacks with active 
response (including repeated offenders 
configuration): http://blog.wazuh.com/blocking-attacks-active-response/

I hope you find it interesting.

Regards.

On Friday, May 20, 2016 at 8:27:38 AM UTC+2, Xavier Mertens wrote:
>
> Hi Jesus, 
> It worked much better! Kicking out offenders more and more now :-)
> My Google-fu was also better yesterday and I found this blog post:
>
> https://mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html
>
> /x
>
>
> On Thu, May 19, 2016 at 10:11 AM, Xavier Mertens <[email protected] 
> <javascript:>> wrote:
>
>> Thanks for the tips! I'll test again following your advices...
>>
>> /x
>>
>> On Thu, May 19, 2016 at 9:33 AM, Jesus Linares <[email protected] 
>> <javascript:>> wrote:
>>
>>> Hi,
>>>
>>> I guess that your command needs an IP, so if your rule *xxx *doesn't 
>>> have the field *srcip *extracted (by the proper decoder) the 
>>> active-response will not work.
>>>
>>> Also, keep in mind that *repeated_offenders *must be in* ossec.conf* of 
>>> *every 
>>> agent* (*shared/agent.conf* or *manager/ossec.conf* are not valid).
>>>
>>> Regards.
>>>
>>> On Thursday, May 19, 2016 at 8:42:29 AM UTC+2, Xme wrote:
>>>>
>>>> Hi *,
>>>>
>>>> I'm trying to implement a new active-response rule for a specific event 
>>>> (1 rule ID).
>>>> It must be implement with the <repeated_offenders> tag.
>>>>
>>>> Problem: I've multiple active-response rules matching this event and it 
>>>> seems that OSSEC picks up the wrong one (repeater offenders are not 
>>>> applied).
>>>>
>>>> Any idea to debug this? The rule is:
>>>>
>>>> <active-response>
>>>>     <command>firewall-drop-aggressive</command>
>>>>     <location>local</location>
>>>>     <timeout>600</timeout>
>>>>     <rules_id>xxx</rules_id>
>>>>     <repeated_offenders>30,60,120,240,480</repeated_offenders>
>>>>   </active-response>
>>>>
>>>> /x
>>>>
>>> -- 
>>>
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to [email protected] <javascript:>.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to