Hi, I guess that your command needs an IP, so if your rule *xxx *doesn't have the field *srcip *extracted (by the proper decoder) the active-response will not work.
Also, keep in mind that *repeated_offenders *must be in* ossec.conf* of *every agent* (*shared/agent.conf* or *manager/ossec.conf* are not valid). Regards. On Thursday, May 19, 2016 at 8:42:29 AM UTC+2, Xme wrote: > > Hi *, > > I'm trying to implement a new active-response rule for a specific event (1 > rule ID). > It must be implement with the <repeated_offenders> tag. > > Problem: I've multiple active-response rules matching this event and it > seems that OSSEC picks up the wrong one (repeater offenders are not > applied). > > Any idea to debug this? The rule is: > > <active-response> > <command>firewall-drop-aggressive</command> > <location>local</location> > <timeout>600</timeout> > <rules_id>xxx</rules_id> > <repeated_offenders>30,60,120,240,480</repeated_offenders> > </active-response> > > /x > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.