[ossec-list] Re: Repeated offenders - timeout of IP count

If you look in the logs directory on the clients, it will show you the commands that are run to add and remove ips. On Friday, March 23, 2018 at 10:20:54 AM UTC-4, Ricardo Almeida wrote: > > Hi, > > I would like to know for how long time OSSEC "store" the blocked IP so > that it is considered

[ossec-list] Re: Repeated offenders - timeout of IP count

By default, 10 minutes. But you can change it. Add this to the ossec.conf on the client machines. The values are in seconds and you can adjust them 600,3600,7200, 14400 On Friday, March 23, 2018 at 10:20:54 AM UTC-4, Ricardo Almeida wrote: > > Hi, > > I would like to know for how long

Re: [ossec-list] Re: Repeated offenders?

Hi Jesus, It worked much better! Kicking out offenders more and more now :-) My Google-fu was also better yesterday and I found this blog post: https://mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html /x On Thu, May 19, 2016 at 10:11 AM, Xavier Mertens

Re: [ossec-list] Re: Repeated offenders?

Thanks for the tips! I'll test again following your advices... /x On Thu, May 19, 2016 at 9:33 AM, Jesus Linares wrote: > Hi, > > I guess that your command needs an IP, so if your rule *xxx *doesn't have > the field *srcip *extracted (by the proper decoder) the active-response

[ossec-list] Re: Repeated offenders?

Hi, I guess that your command needs an IP, so if your rule *xxx *doesn't have the field *srcip *extracted (by the proper decoder) the active-response will not work. Also, keep in mind that *repeated_offenders *must be in* ossec.conf* of *every agent* (*shared/agent.conf* or

Re: [ossec-list] Re: Repeated-offenders still not working

On 03/12/2012 10:49 AM, Dimitri Yioulos wrote: Anyone have any ideas on this? All, Back at the end of last year, I asked about using the repeated-offenders feature in OH. I added the following directives to ossec.conf on the host that I want this to work in: command

Re: [ossec-list] Re: Repeated-offenders still not working

On Monday 12 March 2012 12:24:47 pm Steven Stern wrote: On 03/12/2012 10:49 AM, Dimitri Yioulos wrote: Anyone have any ideas on this? All, Back at the end of last year, I asked about using the repeated-offenders feature in OH. I added the following directives to ossec.conf on the

Re: [ossec-list] Re: Repeated-offenders still not working

On 03/12/2012 11:53 AM, Dimitri Yioulos wrote: On Monday 12 March 2012 12:24:47 pm Steven Stern wrote: On 03/12/2012 10:49 AM, Dimitri Yioulos wrote: Anyone have any ideas on this? All, Back at the end of last year, I asked about using the repeated-offenders feature in OH. I added the

Re: [ossec-list] Re: Repeated Offenders not triggering

be blocked per-agent. I manage my config changes with puppet so it should be a quick fix :) - Original Message - From: c0by jake@gmail.com To: ossec-list ossec-list@googlegroups.com Sent: Saturday, December 17, 2011 7:46:25 AM Subject: [ossec-list] Re: Repeated Offenders not triggering I

Re: [ossec-list] Re: Repeated Offenders not triggering

Thanks for finding that. If I haven't already, I'll update the docs. On Sat, Dec 17, 2011 at 7:46 AM, c0by jake@gmail.com wrote: I did some more testing, and I am happy to say I believe this issue is SOLVED! The issue is that the repeated offenders configuration needs to be on the

[ossec-list] Re: Repeated Offenders not triggering

I did some more testing, and I am happy to say I believe this issue is SOLVED! The issue is that the repeated offenders configuration needs to be on the *agents* ossec.conf file, and *not* in the servers ossec.conf. I believe you could have it on both so it is used for both the server and agent.

Re: [ossec-list] Re: Repeated Offenders not triggering

my config changes with puppet so it should be a quick fix :) - Original Message - From: c0by jake@gmail.com To: ossec-list ossec-list@googlegroups.com Sent: Saturday, December 17, 2011 7:46:25 AM Subject: [ossec-list] Re: Repeated Offenders not triggering I did some more testing