Hello,
I would like to know if its possible to have multiple active-response
scheme for
the same command ?
I would like to block host/firewall for 600 seconds for level 10 and
block for 3600 seconds for > 10
I tried to add the lines below but the only hosts that are blocked are
the hosts who raised a level 10 alert,
level 11 or up is not blocked at all !
Thanks
Sioban
This is not working :
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 10.
- The IP is going to be blocked for 30 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>10</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>10</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 11.
- The IP is going to be blocked for 3600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>11</level>
<timeout>3600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 3600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>11</level>
<timeout>3600</timeout>
</active-response>
