Hey, I had a similar issue with the active response not working as intended. The way I solved it was to add the following to the ossec.conf
<ossec_config> <client> <server-ip>ossec-server</server-ip> </client> <active-response> <repeated_offenders>30,60,120,240,480</repeated_offenders> </active-response> <global> <email_notification>no</email_notification> </global> kind regards, Fredrik Den måndag 3 juli 2017 kl. 12:05:36 UTC+2 skrev Tunguyen: > > My rule fired, i received alert emails too. But active-response doesn't > work. > > Here is my active-response config in ossec.conf: > > <active-response> > <command>firewall-drop</command> > <location>all</location> > <rules_id>100101</rules_id> > <timeout>600</timeout> > </active-response> > > Here is my email alert: > > Received From: ubuntu-server->/var/log/nginx/access.log Rule: 100101 fired > (level 9) -> “Multiple access in a short time from same IP” Portion of the > log(s): > > 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:27 +0700] “GET / HTTP/1.1” > 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” > > 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:26 +0700] “GET / HTTP/1.1” > 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” > > 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / HTTP/1.1” > 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” > > 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / HTTP/1.1” > 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” > > 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:24 +0700] “GET / HTTP/1.1” > 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” > > 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / HTTP/1.1” > 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” > > 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / HTTP/1.1” > 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” > > > After receiving this alert message, my IP hasn't been blocked and I still > can send bunch of requests to the server. And when i checked > /var/ossec/logs/active-responses.log, it was empty. No IP has been block. > Can someone explain please? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
