On Fri, Nov 2, 2018 at 7:20 AM Giorgio Biondi <[email protected]> wrote: > > Hi Dan, > I have put in my ossec.conf agent side: I have read your old message on > newsgroup with suggest to put ths in 'agent side' > > > <active-response> > <repeated_offenders>60,120,480</repeated_offenders> > </active-response> > > it's too early for now, but seems work... > > Thank you.. >
Out of curiosity, I checked the documentation: http://www.ossec.net/docs/syntax/head_ossec_config.active-response.html?highlight=repeated#element-repeated_offenders > > > > Il giorno ven 2 nov 2018 alle ore 11:54 dan (ddp) <[email protected]> ha > scritto: >> >> On Thu, Nov 1, 2018 at 5:22 AM Giorgio Biondi <[email protected]> >> wrote: >> > >> > Hi at all, >> > >> > it seems that "repeat offenders" do not work, at least in server-agent >> > configuration. I have an ossec server with 10 agents. Below is an excerpt >> > of the configuration ossec.conf on the server - I repeated attacks by an >> > ip (it is not what you see obviously I put a ip intentionally >> > non-existent) and the ossec agent continues to cancel the defense every 10 >> > minutes as if it were not configured the "repeat offenders" .. where am I >> > wrong? >> > >> >> I believe the repeated_offenders setting needs to be on the agent, not >> the server? Something like that. >> It's been a while since I used it. >> >> > >> > extract from my ossec.conf >> > >> > <!-- Active Response Config --> >> > <active-response> >> > <!-- This response is going to execute the host-deny >> > - command for every event that fires a rule with >> > - level (severity) >= 6. >> > - The IP is going to be blocked for 600 seconds. >> > --> >> > <command>host-deny</command> >> > <location>all</location> >> > <level>6</level> >> > <timeout>600</timeout> >> > <repeated_offenders>60,120,480</repeated_offenders> >> > </active-response> >> > >> > <active-response> >> > <!-- Firewall Drop response. Block the IP for >> > - 600 seconds on the firewall (iptables, >> > - ipfilter, etc). >> > --> >> > <command>firewall-drop</command> >> > <location>all</location> >> > <level>6</level> >> > <timeout>600</timeout> >> > <repeated_offenders>60,120,480</repeated_offenders> >> > </active-response> >> > >> > >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/yfd5QYz4CFc/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
