By default, 10 minutes. But you can change it. Add this to the ossec.conf on the client machines. The values are in seconds and you can adjust them
<active-response> <repeated_offenders>600,3600,7200, 14400</repeated_offenders> </active-response> On Friday, March 23, 2018 at 10:20:54 AM UTC-4, Ricardo Almeida wrote: > > Hi, > > I would like to know for how long time OSSEC "store" the blocked IP so > that it is considered as a repeated_offernder, ie once it has been > unblocked (after the first block), until how much later it will count as a > repeated_offender. For example, if IP X is blocked now, will it still > count as repated_offender tomorrow? And, what action that clear the count > by IP, only the restart of the ossec-server service? > > Thank you! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.