I've checked the ossec.conf on server side and agent side, those are all
the same as yours
Here is the agent side:
<active-response>
<repeated_offenders>20,40,60</repeated_offenders>
</active-response>
And the server side is same as above, except that i add
<repeated_offenders> like this:
<active-response>
<command> firewall-drop </ command>
<location> all </ location>
<rules_id> 100101 </ rules_id>
<time-out> 600 </ timeout>
<repeated_offenders>20,40,60</repeated_offenders>
</ active-response>
But the response still doesn't work.
Hmm active-response used to work well, but after a day without changing
anything, it doesn't work anymore :(
On Monday, July 3, 2017 at 5:20:35 PM UTC+7, Fredrik Hilmersson wrote:
>
> Sorry for the 'spam' hehe, just checked my configuration once more and the
> active response section you refer to is that the original response setting?
> Make sure to have the following within your ossec.conf (server side):
>
> <active-response>
>
> <!-- Firewall Drop response. Block the IP for
>
> - 600 seconds on the firewall (iptables,
>
> - ipfilter, etc).
>
> -->
>
> <command>firewall-drop</command>
>
> <location>all</location>
>
> <level>6</level>
>
> <timeout>600</timeout>
>
> <repeated_offenders>30,60,120,240,480</repeated_offenders>
>
> </active-response>
>
> <active-response>
>
> <command>firewall-drop</command>
>
> <location>all</location>
>
> <rules_id>100101</rules_id>
>
> </active-response>
>
>
>
>
> Den måndag 3 juli 2017 kl. 12:15:08 UTC+2 skrev Fredrik Hilmersson:
>>
>> ossec.conf on the AGENT side, forgot to mention!
>>
>> Den måndag 3 juli 2017 kl. 12:14:30 UTC+2 skrev Fredrik Hilmersson:
>>>
>>> Hey, I had a similar issue with the active response not working as
>>> intended. The way I solved it was to add the following to the ossec.conf
>>>
>>> <ossec_config>
>>>
>>> <client>
>>>
>>> <server-ip>ossec-server</server-ip>
>>>
>>> </client>
>>>
>>> <active-response>
>>>
>>> <repeated_offenders>30,60,120,240,480</repeated_offenders>
>>>
>>> </active-response>
>>>
>>> <global>
>>>
>>> <email_notification>no</email_notification>
>>>
>>> </global>
>>>
>>> kind regards,
>>> Fredrik
>>>
>>> Den måndag 3 juli 2017 kl. 12:05:36 UTC+2 skrev Tunguyen:
>>>>
>>>> My rule fired, i received alert emails too. But active-response doesn't
>>>> work.
>>>>
>>>> Here is my active-response config in ossec.conf:
>>>>
>>>> <active-response>
>>>> <command>firewall-drop</command>
>>>> <location>all</location>
>>>> <rules_id>100101</rules_id>
>>>> <timeout>600</timeout>
>>>> </active-response>
>>>>
>>>> Here is my email alert:
>>>>
>>>> Received From: ubuntu-server->/var/log/nginx/access.log Rule: 100101
>>>> fired (level 9) -> “Multiple access in a short time from same IP” Portion
>>>> of the log(s):
>>>>
>>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:27 +0700] “GET /
>>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64)
>>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36”
>>>>
>>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:26 +0700] “GET /
>>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64)
>>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36”
>>>>
>>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET /
>>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64)
>>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36”
>>>>
>>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET /
>>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64)
>>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36”
>>>>
>>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:24 +0700] “GET /
>>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64)
>>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36”
>>>>
>>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET /
>>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64)
>>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36”
>>>>
>>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET /
>>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64)
>>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36”
>>>>
>>>>
>>>> After receiving this alert message, my IP hasn't been blocked and I
>>>> still can send bunch of requests to the server. And when i checked
>>>> /var/ossec/logs/active-responses.log, it was empty. No IP has been block.
>>>> Can someone explain please?
>>>>
>>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
