How much time passes between the blocks? (I don't know much about repeated_offenders, so just gathering ideas.)
On Mon, Dec 12, 2011 at 10:08 PM, Chris Warren <chris.war...@netelligent.ca> wrote: > Hi, > I'm am trying out the <repeated_offenders> option but it does not seem to be > triggering. > > Here is my active response config: > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>all</location> > <level>7</level> > <timeout>600</timeout> > <repeated_offenders>30,60,120,1440</repeated_offenders> > </active-response> > > > I also get this when restarting OSSEC: > 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 30 (for #1) > 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 60 (for #2) > 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 120 (for #3) > 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 1440 (for #4) > > So all appears well, however, I am seeing the same offender being unblocked > after 600 seconds each time. > > Thanks for any help offered. > > Chris