[ossec-list] Re: Multiple active-response

Thu, 14 Sep 2006 11:17:34 -0700 


Just switch the order, adding the one with the larger timeout first. The issue
is that ossec keeps track of the currently blocked ips and for any level
higher than 11, it will attempt to execute two responses (the one for 10+ and
the one for the 11+).  So, what is happening, step by step:

-ossec fires the rule for level 11.
-ossec execute the first response (for level 10), blocking the ip
-ossec tries to execute the response for level 11, but since the
ip is already blocked it doesn't do anything.

By switching the order, ossec will execute the response for level
11 first...

Hope it helps..

*btw, can I add your two rules for modsecurity at our official apache rules?

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net




On 9/14/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:


Hello,

I would like to know if its possible to have multiple active-response
scheme for
the same command ?

I would like to block host/firewall for 600 seconds for level 10 and
block for 3600 seconds for > 10

I tried to add the lines below but the only hosts that are blocked are
the hosts who raised a level 10 alert,
level 11 or up is not blocked at all !

Thanks

Sioban

This is not working :
  <active-response>
    <!-- This response is going to execute the host-deny
       - command for every event that fires a rule with
       - level (severity) >= 10.
       - The IP is going to be blocked for  30 seconds.
      -->
    <command>host-deny</command>
    <location>local</location>
    <level>10</level>
    <timeout>600</timeout>
  </active-response>

  <active-response>
    <!-- Firewall Drop response. Block the IP for
       - 600 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
    <command>firewall-drop</command>
    <location>local</location>
    <level>10</level>
    <timeout>600</timeout>
  </active-response>

  <active-response>
    <!-- This response is going to execute the host-deny
       - command for every event that fires a rule with
       - level (severity) >= 11.
       - The IP is going to be blocked for  3600 seconds.
      -->
    <command>host-deny</command>
    <location>local</location>
    <level>11</level>
    <timeout>3600</timeout>
  </active-response>

  <active-response>
    <!-- Firewall Drop response. Block the IP for
       - 3600 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
    <command>firewall-drop</command>
    <location>local</location>
    <level>11</level>
    <timeout>3600</timeout>
  </active-response>

Reply via email to