> Check the frequency documentation:
> http://devio.us/~ddp/ossec/docs/syntax/head_rules.html
>
>
Thanks for the information.
> > *2) I want to block the client that has triggered this rule so that he
> > doesn't get chance to login anymore
> >
> > (block the client). How can I do it? I tried adding this rule on
> > "active response" field wih "timeout=600" .
> >
> > I guess then, client should be blocked and not allowed to Login
> > into the client for next 600 sec but the
> >
> > client is immediately able to gain access. (I hope I am getting
> it
> > right).
> >
> >
> > Please help.
>
> You forgot to include the configuration you tried. Did you restart the
> ossec processes on the ossec server after making this change? Is
> active response enabled on the agent?
>
Yes, I restarted ossec server after making this change and I have enabled
the active response in client-config as well.
In server config :::
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<rules_id>100153</rules_id>
<level>6</level>
<timeout>600</timeout>
</active-response>
In local rules :::
<rule id="100153" level="10" frequency="2" timeframe="240">
<if_matched_sid>18106</if_matched_sid>
<description>Multiple window logon failure</description>
</rule>
In agent's config :::
<active-response>
<disabled>no</disabled>
</active-response>
I just want to block a client which triggers this rule "100153", but even
after
multiple logon failure, client is not being blocked for 600seconds. Though,
I can see the alert at the server.
I hope I am not missing on something.
Please help.
