On Thu, Nov 1, 2018 at 5:22 AM Giorgio Biondi <biondi.gior...@gmail.com> wrote: > > Hi at all, > > it seems that "repeat offenders" do not work, at least in server-agent > configuration. I have an ossec server with 10 agents. Below is an excerpt of > the configuration ossec.conf on the server - I repeated attacks by an ip (it > is not what you see obviously I put a ip intentionally non-existent) and the > ossec agent continues to cancel the defense every 10 minutes as if it were > not configured the "repeat offenders" .. where am I wrong? >
I believe the repeated_offenders setting needs to be on the agent, not the server? Something like that. It's been a while since I used it. > > extract from my ossec.conf > > <!-- Active Response Config --> > <active-response> > <!-- This response is going to execute the host-deny > - command for every event that fires a rule with > - level (severity) >= 6. > - The IP is going to be blocked for 600 seconds. > --> > <command>host-deny</command> > <location>all</location> > <level>6</level> > <timeout>600</timeout> > <repeated_offenders>60,120,480</repeated_offenders> > </active-response> > > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>all</location> > <level>6</level> > <timeout>600</timeout> > <repeated_offenders>60,120,480</repeated_offenders> > </active-response> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
