On Tuesday 12 March 2013 11:22:24 am Martin Gottlieb wrote: > Hello, > > I have added the repeated_offenders configuration block > to all of my agents and the server as follows: > > <active-response> > <repeated_offenders>120180240</repeated_offenders> > </active-response> > > When I restart OSSEC on the agent, I do see the messages > indicating that it recognizes the settings: > > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders > timeout: 120 (for #1) > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders > timeout: 180 (for #2) > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders > timeout: 240 (for #3) > > However, I continue to see repeated attacks where the > blocking is deleted after the default 60 minutes each > time: > > Tue Mar 12 04:02:23 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - > 209.190.64.19 1363075343.32232753 5720 > Tue Mar 12 05:02:55 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - > 209.190.64.19 1363075343.32232753 5720 > Tue Mar 12 05:45:03 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - > 209.190.64.19 1363081503.103380375 5712 > Tue Mar 12 06:46:19 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - > 209.190.64.19 1363081503.103380375 5712 > Tue Mar 12 06:47:26 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - > 209.190.64.19 1363085246.126982032 5712 > Tue Mar 12 07:48:42 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - > 209.190.64.19 1363085246.126982032 5712 > Tue Mar 12 08:02:53 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - > 209.190.64.19 1363089773.151565087 5712 > Tue Mar 12 09:04:16 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - > 209.190.64.19 1363089773.151565087 5712 > Tue Mar 12 09:05:23 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - > 209.190.64.19 1363093523.180046077 5712 > Tue Mar 12 10:06:19 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - > 209.190.64.19 1363093523.180046077 5712 > > The only solution I've seen to this issue is to make sure > this is configured on the agent side, not the server. As > I mentioned, I have done this. > I am running OSSEC 2.6 on the server and all agents. > > Am I missing something? > > thanks. > > Martin > > PS. Sorry if this is a duplicate posting, I tried > posting through the web interface and it didn't show up. > > -- > > ---
For what it's worth, I have the same problem Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
