Hi everyone, here is my ossec.conf on the server:
<active-response>
<!-- Block Multiple SQL Injection from same IP -->
<command>firewall-drop</command>
<location>server,all</location>
<rules_id>31152</rules_id>
<timeout>600</timeout>
<repeated_offenders>30,60,90,120,150</repeated_offenders>
</active-response>
rule 31152 is:
<rule id="31152" level="10" frequency="6" timeframe="120">
<if_matched_sid>31103</if_matched_sid>
<same_source_ip />
<description>Multiple SQL injection attempts from same </description>
<description>souce ip.</description>
<group>attack,sql_injection,</group>
</rule>
After i tried to SQL injection to the agent using agent IP address, the
rule 31152 fired, i still can connect to the agent IP, but i can't connect
to the server IP, and i found out that i was blocked away from the server
IP. If i change <location>server, all</location> into
<location>all<location>, i was not blocked anymore by either server or
agent. So are there anything happened to my config?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
