[ossec-list] Rule fired but active-response didn't work

Mon, 03 Jul 2017 03:06:12 -0700 

My rule fired, i received alert emails too. But active-response doesn't 
work. 

Here is my active-response config in ossec.conf:

<active-response>
    <command>firewall-drop</command>
    <location>all</location>
    <rules_id>100101</rules_id>
    <timeout>600</timeout>
</active-response>

Here is my email alert:

Received From: ubuntu-server->/var/log/nginx/access.log Rule: 100101 fired 
(level 9) -> “Multiple access in a short time from same IP” Portion of the 
log(s):

118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:27 +0700] “GET / HTTP/1.1” 
200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 

118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:26 +0700] “GET / HTTP/1.1” 
200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 

118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / HTTP/1.1” 
200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 

118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / HTTP/1.1” 
200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 

118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:24 +0700] “GET / HTTP/1.1” 
200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 

118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / HTTP/1.1” 
200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 

118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / HTTP/1.1” 
200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36”


After receiving this alert message, my IP hasn't been blocked and I still 
can send bunch of requests to the server. And when i checked 
/var/ossec/logs/active-responses.log, it was empty. No IP has been block. 
Can someone explain please?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to