Thanks for the tips! I'll test again following your advices... /x
On Thu, May 19, 2016 at 9:33 AM, Jesus Linares <je...@wazuh.com> wrote: > Hi, > > I guess that your command needs an IP, so if your rule *xxx *doesn't have > the field *srcip *extracted (by the proper decoder) the active-response > will not work. > > Also, keep in mind that *repeated_offenders *must be in* ossec.conf* of *every > agent* (*shared/agent.conf* or *manager/ossec.conf* are not valid). > > Regards. > > On Thursday, May 19, 2016 at 8:42:29 AM UTC+2, Xme wrote: >> >> Hi *, >> >> I'm trying to implement a new active-response rule for a specific event >> (1 rule ID). >> It must be implement with the <repeated_offenders> tag. >> >> Problem: I've multiple active-response rules matching this event and it >> seems that OSSEC picks up the wrong one (repeater offenders are not >> applied). >> >> Any idea to debug this? The rule is: >> >> <active-response> >> <command>firewall-drop-aggressive</command> >> <location>local</location> >> <timeout>600</timeout> >> <rules_id>xxx</rules_id> >> <repeated_offenders>30,60,120,240,480</repeated_offenders> >> </active-response> >> >> /x >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.