ossec.conf on the AGENT side, forgot to mention! Den måndag 3 juli 2017 kl. 12:14:30 UTC+2 skrev Fredrik Hilmersson: > > Hey, I had a similar issue with the active response not working as > intended. The way I solved it was to add the following to the ossec.conf > > <ossec_config> > > <client> > > <server-ip>ossec-server</server-ip> > > </client> > > <active-response> > > <repeated_offenders>30,60,120,240,480</repeated_offenders> > > </active-response> > > <global> > > <email_notification>no</email_notification> > > </global> > > kind regards, > Fredrik > > Den måndag 3 juli 2017 kl. 12:05:36 UTC+2 skrev Tunguyen: >> >> My rule fired, i received alert emails too. But active-response doesn't >> work. >> >> Here is my active-response config in ossec.conf: >> >> <active-response> >> <command>firewall-drop</command> >> <location>all</location> >> <rules_id>100101</rules_id> >> <timeout>600</timeout> >> </active-response> >> >> Here is my email alert: >> >> Received From: ubuntu-server->/var/log/nginx/access.log Rule: 100101 >> fired (level 9) -> “Multiple access in a short time from same IP” Portion >> of the log(s): >> >> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:27 +0700] “GET / HTTP/1.1” >> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 >> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >> >> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:26 +0700] “GET / HTTP/1.1” >> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 >> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >> >> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / HTTP/1.1” >> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 >> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >> >> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / HTTP/1.1” >> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 >> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >> >> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:24 +0700] “GET / HTTP/1.1” >> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 >> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >> >> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / HTTP/1.1” >> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 >> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >> >> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / HTTP/1.1” >> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 >> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >> >> >> After receiving this alert message, my IP hasn't been blocked and I still >> can send bunch of requests to the server. And when i checked >> /var/ossec/logs/active-responses.log, it was empty. No IP has been block. >> Can someone explain please? >> >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
