Thanks for finding that. If I haven't already, I'll update the docs.
On Sat, Dec 17, 2011 at 7:46 AM, c0by <jake....@gmail.com> wrote: > I did some more testing, and I am happy to say I believe this issue is > SOLVED! > > The issue is that the repeated offenders configuration needs to be on > the *agents* ossec.conf file, and *not* in the servers ossec.conf. I > believe you could have it on both so it is used for both the server > and agent. It can't go in the agent.conf currently which would of been > nice, but it's fine for now. > > For more details on this see my post on this solution here: > http://www.mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html > > Regards > Jake > > On Dec 17, 4:57 am, Chris Warren <chris.war...@netelligent.ca> wrote: >> Good find! Thank you! >> >> Unfortunately the source is still a little over my head...just meaning that >> I don't have the time to right now to get in and learn. >> >> But I work regularly with a couple of different ossec server/agent groups >> for different clients, and can definitely help to test any code patches, >> and/or help with any diagnostic testing. >> >> I'd love to see this feature work, but it is by no means a deal-breaker for >> me. >> >> >> >> >> >> >> >> ----- Original Message ----- >> From: "jake 22s" <jake....@gmail.com> >> To: ossec-list@googlegroups.com >> Sent: Friday, December 16, 2011 6:09:51 PM >> Subject: Re: [ossec-list] Repeated Offenders not triggering >> >> I can confirm that repeated_offenders *does* work on a local only install. >> >> I too run an agent / server setup with blocks going to all agents. With this >> setup repeated_offenders does *not* work. It says it's loaded in the start >> up log but it is ignored and the default ar timeout is always used. >> >> So going by your suggestion, I installed a fresh local only ossec install on >> a development server and it does indeed work. >> >> Looks like some code must be missing from the agent only build perhaps. Not >> done much testing yet, but will do more later and have a read through the >> source. >> >> Any of the developers know much about this? >> >> -----Original Message----- >> From: Chris Warren <chris.war...@netelligent.ca> >> Sender: ossec-list@googlegroups.com >> Date: Fri, 16 Dec 2011 14:41:38 >> To: <ossec-list@googlegroups.com> >> Reply-To: ossec-list@googlegroups.com >> Subject: Re: [ossec-list] Repeated Offenders not triggering >> >> Could be that it's only working for local setups currently? I am using >> server/agent, with active responses triggering blocks on all servers. >> >> Even so, I repeated abused 1 single server and could not get the >> repeated_offenders timeout to trigger. >> >> Anybody with a local install that can test this, or has it working? >> >> ----- Original Message ----- >> From: "jake 22s" <jake....@gmail.com> >> To: ossec-list@googlegroups.com >> Sent: Wednesday, December 14, 2011 6:56:47 AM >> Subject: Re: [ossec-list] Repeated Offenders not triggering >> >> Moving the repeated_offenders to its own block did not work for me. I don't >> see anything in the log on start either. >> >> Is this feature confirmed as working? Just doesn't seem to have many docs >> for it, would be a nice feature to use. >> >> Jake >> Sent using BlackBerry® from Orange >> >> -----Original Message----- >> From: Chris Warren <chris.war...@netelligent.ca> >> Sender: ossec-list@googlegroups.com >> Date: Tue, 13 Dec 2011 15:55:40 >> To: <ossec-list@googlegroups.com> >> Reply-To: ossec-list@googlegroups.com >> Subject: Re: [ossec-list] Repeated Offenders not triggering >> >> Sometimes I see the same host blocked every 600 seconds (the timeout value). >> >> I tried adding the repeated_offenders list to it's own block as the >> documentation suggested, but then I do not see: >> >> 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 30 (for #1) >> 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 60 (for #2) >> 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 120 (for #3) >> 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 1440 (for >> #4) >> >> I will be doing some more testing as well, and will report back if I find a >> solution. >> >> ----- Original Message ----- >> From: "dan (ddp)" <ddp...@gmail.com> >> To: ossec-list@googlegroups.com >> Sent: Tuesday, December 13, 2011 3:46:23 PM >> Subject: Re: [ossec-list] Repeated Offenders not triggering >> >> Based onhttp://dcid.me/2011/02/blocking-repeated-offenders-with-ossec/ >> I think the repeated_offenders list should be in its own block. >> Example: >> >> <active-response> >> <command>firewall-drop</command> >> <location>all</location> >> <level>7</level> >> <timeout>600</timeout> >> </active-response> >> <active-response> >> <repeated_offenders>30,60,120,1440</repeated_offenders> >> </active-response> >> >> Again, I'm not sure and I don't know how easy this will be for me to test. >> >> On Mon, Dec 12, 2011 at 10:08 PM, Chris Warren >> <chris.war...@netelligent.ca> wrote: >> > Hi, >> > I'm am trying out the <repeated_offenders> option but it does not seem to >> > be triggering. >> >> > Here is my active response config: >> > <active-response> >> > <!-- Firewall Drop response. Block the IP for >> > - 600 seconds on the firewall (iptables, >> > - ipfilter, etc). >> > --> >> > <command>firewall-drop</command> >> > <location>all</location> >> > <level>7</level> >> > <timeout>600</timeout> >> > <repeated_offenders>30,60,120,1440</repeated_offenders> >> > </active-response> >> >> > I also get this when restarting OSSEC: >> > 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 30 (for >> > #1) >> > 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 60 (for >> > #2) >> > 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 120 (for >> > #3) >> > 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 1440 (for >> > #4) >> >> > So all appears well, however, I am seeing the same offender being >> > unblocked after 600 seconds each time. >> >> > Thanks for any help offered. >> >> > Chris