[ossec-list] Re: Repeated offenders - timeout of IP count
If you look in the logs directory on the clients, it will show you the commands that are run to add and remove ips. On Friday, March 23, 2018 at 10:20:54 AM UTC-4, Ricardo Almeida wrote: > > Hi, > > I would like to know for how long time OSSEC "store" the blocked IP so > that it is considered as a repeated_offernder, ie once it has been > unblocked (after the first block), until how much later it will count as a > repeated_offender. For example, if IP X is blocked now, will it still > count as repated_offender tomorrow? And, what action that clear the count > by IP, only the restart of the ossec-server service? > > Thank you! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Repeated offenders - timeout of IP count
By default, 10 minutes. But you can change it. Add this to the ossec.conf on the client machines. The values are in seconds and you can adjust them 600,3600,7200, 14400 On Friday, March 23, 2018 at 10:20:54 AM UTC-4, Ricardo Almeida wrote: > > Hi, > > I would like to know for how long time OSSEC "store" the blocked IP so > that it is considered as a repeated_offernder, ie once it has been > unblocked (after the first block), until how much later it will count as a > repeated_offender. For example, if IP X is blocked now, will it still > count as repated_offender tomorrow? And, what action that clear the count > by IP, only the restart of the ossec-server service? > > Thank you! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Repeated offenders?
Hi Jesus, It worked much better! Kicking out offenders more and more now :-) My Google-fu was also better yesterday and I found this blog post: https://mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html /x On Thu, May 19, 2016 at 10:11 AM, Xavier Mertenswrote: > Thanks for the tips! I'll test again following your advices... > > /x > > On Thu, May 19, 2016 at 9:33 AM, Jesus Linares wrote: > >> Hi, >> >> I guess that your command needs an IP, so if your rule *xxx *doesn't >> have the field *srcip *extracted (by the proper decoder) the >> active-response will not work. >> >> Also, keep in mind that *repeated_offenders *must be in* ossec.conf* of >> *every >> agent* (*shared/agent.conf* or *manager/ossec.conf* are not valid). >> >> Regards. >> >> On Thursday, May 19, 2016 at 8:42:29 AM UTC+2, Xme wrote: >>> >>> Hi *, >>> >>> I'm trying to implement a new active-response rule for a specific event >>> (1 rule ID). >>> It must be implement with the tag. >>> >>> Problem: I've multiple active-response rules matching this event and it >>> seems that OSSEC picks up the wrong one (repeater offenders are not >>> applied). >>> >>> Any idea to debug this? The rule is: >>> >>> >>> firewall-drop-aggressive >>> local >>> 600 >>> xxx >>> 30,60,120,240,480 >>> >>> >>> /x >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Repeated offenders?
Thanks for the tips! I'll test again following your advices... /x On Thu, May 19, 2016 at 9:33 AM, Jesus Linareswrote: > Hi, > > I guess that your command needs an IP, so if your rule *xxx *doesn't have > the field *srcip *extracted (by the proper decoder) the active-response > will not work. > > Also, keep in mind that *repeated_offenders *must be in* ossec.conf* of *every > agent* (*shared/agent.conf* or *manager/ossec.conf* are not valid). > > Regards. > > On Thursday, May 19, 2016 at 8:42:29 AM UTC+2, Xme wrote: >> >> Hi *, >> >> I'm trying to implement a new active-response rule for a specific event >> (1 rule ID). >> It must be implement with the tag. >> >> Problem: I've multiple active-response rules matching this event and it >> seems that OSSEC picks up the wrong one (repeater offenders are not >> applied). >> >> Any idea to debug this? The rule is: >> >> >> firewall-drop-aggressive >> local >> 600 >> xxx >> 30,60,120,240,480 >> >> >> /x >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Repeated offenders?
Hi, I guess that your command needs an IP, so if your rule *xxx *doesn't have the field *srcip *extracted (by the proper decoder) the active-response will not work. Also, keep in mind that *repeated_offenders *must be in* ossec.conf* of *every agent* (*shared/agent.conf* or *manager/ossec.conf* are not valid). Regards. On Thursday, May 19, 2016 at 8:42:29 AM UTC+2, Xme wrote: > > Hi *, > > I'm trying to implement a new active-response rule for a specific event (1 > rule ID). > It must be implement with the tag. > > Problem: I've multiple active-response rules matching this event and it > seems that OSSEC picks up the wrong one (repeater offenders are not > applied). > > Any idea to debug this? The rule is: > > > firewall-drop-aggressive > local > 600 > xxx > 30,60,120,240,480 > > > /x > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Repeated-offenders still not working
On 03/12/2012 10:49 AM, Dimitri Yioulos wrote: Anyone have any ideas on this? All, Back at the end of last year, I asked about using the repeated-offenders feature in OH. I added the following directives to ossec.conf on the host that I want this to work in: command namehost-deny/name executablehost-deny.sh/executable expectsrcip/expect timeout_allowedyes/timeout_allowed /command active-response !-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) = 6. - The IP is going to be blocked for 600 seconds. -- commandhost-deny/command locationlocal/location level6/level timeout600/timeout /active-response Despite that, it's not working. Ossec reports the following: OSSEC HIDS Notification. 2012 Mar 07 09:08:16 Received From: (plymouth) 192.168.1.2-/var/log/messages Rule: 40111 fired (level 10) - Multiple authentication failures. Portion of the log(s): Mar 7 09:07:44 plymouth ipop3d[29926]: Login failed user=hod auth=hod host=201-93-132-240.dsl.telesp.net.br [201.93.132.240] ... However, rather than OH invoking repeated-offenders, and blocking the offender for 600 seconds, I continue to see the offender make attempts on the host. What am I missing here? Can you get onto the server when the block should be in effect? If so, what do you see in /etc/hosts.deny and from iptables -L? At the time the blocks should be taking place, do you see anything in /var/log/messages or /var/ossec/logs/active-responses.log? Are you running SELinux in enforcing mode? -- -- Steve
Re: [ossec-list] Re: Repeated-offenders still not working
On Monday 12 March 2012 12:24:47 pm Steven Stern wrote: On 03/12/2012 10:49 AM, Dimitri Yioulos wrote: Anyone have any ideas on this? All, Back at the end of last year, I asked about using the repeated-offenders feature in OH. I added the following directives to ossec.conf on the host that I want this to work in: command namehost-deny/name executablehost-deny.sh/executable expectsrcip/expect timeout_allowedyes/timeout_allowed /command active-response !-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) = 6. - The IP is going to be blocked for 600 seconds. -- commandhost-deny/command locationlocal/location level6/level timeout600/timeout /active-response Despite that, it's not working. Ossec reports the following: OSSEC HIDS Notification. 2012 Mar 07 09:08:16 Received From: (plymouth) 192.168.1.2-/var/log/messages Rule: 40111 fired (level 10) - Multiple authentication failures. Portion of the log(s): Mar 7 09:07:44 plymouth ipop3d[29926]: Login failed user=hod auth=hod host=201-93-132-240.dsl.telesp.net.br [201.93.132.240] ... However, rather than OH invoking repeated-offenders, and blocking the offender for 600 seconds, I continue to see the offender make attempts on the host. What am I missing here? Can you get onto the server when the block should be in effect? If so, what do you see in /etc/hosts.deny and from iptables -L? At the time the blocks should be taking place, do you see anything in /var/log/messages or /var/ossec/logs/active-responses.log? Are you running SELinux in enforcing mode? -- -- Steve Steve, Thanks for your response. By grepping for the offending IP addy in /var/ossec/logs/active-responses.log, I saw that host-deny.sh add and firewall-drop.sh add were fired. Ten minutes later, host-deny.sh delete and firewall-drop.sh delete were fired. So, it appears that repeated-offenders is working. I just didn't know where to look. I guess I'd like an email notification when the blocks/unblocks are fired. How/where do I enable that? Again, thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [ossec-list] Re: Repeated-offenders still not working
On 03/12/2012 11:53 AM, Dimitri Yioulos wrote: On Monday 12 March 2012 12:24:47 pm Steven Stern wrote: On 03/12/2012 10:49 AM, Dimitri Yioulos wrote: Anyone have any ideas on this? All, Back at the end of last year, I asked about using the repeated-offenders feature in OH. I added the following directives to ossec.conf on the host that I want this to work in: command namehost-deny/name executablehost-deny.sh/executable expectsrcip/expect timeout_allowedyes/timeout_allowed /command active-response !-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) = 6. - The IP is going to be blocked for 600 seconds. -- commandhost-deny/command locationlocal/location level6/level timeout600/timeout /active-response Despite that, it's not working. Ossec reports the following: OSSEC HIDS Notification. 2012 Mar 07 09:08:16 Received From: (plymouth) 192.168.1.2-/var/log/messages Rule: 40111 fired (level 10) - Multiple authentication failures. Portion of the log(s): Mar 7 09:07:44 plymouth ipop3d[29926]: Login failed user=hod auth=hod host=201-93-132-240.dsl.telesp.net.br [201.93.132.240] ... However, rather than OH invoking repeated-offenders, and blocking the offender for 600 seconds, I continue to see the offender make attempts on the host. What am I missing here? Can you get onto the server when the block should be in effect? If so, what do you see in /etc/hosts.deny and from iptables -L? At the time the blocks should be taking place, do you see anything in /var/log/messages or /var/ossec/logs/active-responses.log? Are you running SELinux in enforcing mode? -- -- Steve Steve, Thanks for your response. By grepping for the offending IP addy in /var/ossec/logs/active-responses.log, I saw that host-deny.sh add and firewall-drop.sh add were fired. Ten minutes later, host-deny.sh delete and firewall-drop.sh delete were fired. So, it appears that repeated-offenders is working. I just didn't know where to look. I guess I'd like an email notification when the blocks/unblocks are fired. How/where do I enable that? I think this is what you want. By the way, if you're playing with rules that lock people out, be sure to whitelist your own IP first. http://itscblog.tamu.edu/ossec-email-alerts-on-active-responses/ http://www.ossec.net/wiki/Know_How:White_list -- -- Steve
Re: [ossec-list] Re: Repeated Offenders not triggering
Confirmed. So to re-cap and clarify on Jake's discovery, the repeated_offenders block goes on the AGENTS' ossec.conf file. Also important is that the repeated_offenders block is NOT on the server's ossec.conf (I had repeated offenders in each active response block, and the agents were ignoring the initial timeout and going right to the first repeated_offenders value). Also this seems to work across the whole network. I.E. if 1 machine gets a brute-force attack and the active response triggers, and later a different machine gets attacked by the same source, it will go to repeated_offenders :) Thanks again, Jake, for the tested you did with this, and thanks Dan for updating the docs :) - Original Message - From: Chris Warren chris.war...@netelligent.ca To: ossec-list@googlegroups.com Sent: Saturday, December 17, 2011 10:37:41 AM Subject: Re: [ossec-list] Re: Repeated Offenders not triggering GREAT news! I will test this in my server/client configuration with block locationall/location. I'm hoping that the repeated_offenders timeouts on each agent will determine this from the active-response.log. Otherwise, I'd assume repeated_offenders would only be blocked per-agent. I manage my config changes with puppet so it should be a quick fix :) - Original Message - From: c0by jake@gmail.com To: ossec-list ossec-list@googlegroups.com Sent: Saturday, December 17, 2011 7:46:25 AM Subject: [ossec-list] Re: Repeated Offenders not triggering I did some more testing, and I am happy to say I believe this issue is SOLVED! The issue is that the repeated offenders configuration needs to be on the *agents* ossec.conf file, and *not* in the servers ossec.conf. I believe you could have it on both so it is used for both the server and agent. It can't go in the agent.conf currently which would of been nice, but it's fine for now. For more details on this see my post on this solution here: http://www.mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html Regards Jake On Dec 17, 4:57 am, Chris Warren chris.war...@netelligent.ca wrote: Good find! Thank you! Unfortunately the source is still a little over my head...just meaning that I don't have the time to right now to get in and learn. But I work regularly with a couple of different ossec server/agent groups for different clients, and can definitely help to test any code patches, and/or help with any diagnostic testing. I'd love to see this feature work, but it is by no means a deal-breaker for me. - Original Message - From: jake 22s jake@gmail.com To: ossec-list@googlegroups.com Sent: Friday, December 16, 2011 6:09:51 PM Subject: Re: [ossec-list] Repeated Offenders not triggering I can confirm that repeated_offenders *does* work on a local only install. I too run an agent / server setup with blocks going to all agents. With this setup repeated_offenders does *not* work. It says it's loaded in the start up log but it is ignored and the default ar timeout is always used. So going by your suggestion, I installed a fresh local only ossec install on a development server and it does indeed work. Looks like some code must be missing from the agent only build perhaps. Not done much testing yet, but will do more later and have a read through the source. Any of the developers know much about this? -Original Message- From: Chris Warren chris.war...@netelligent.ca Sender: ossec-list@googlegroups.com Date: Fri, 16 Dec 2011 14:41:38 To: ossec-list@googlegroups.com Reply-To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Repeated Offenders not triggering Could be that it's only working for local setups currently? I am using server/agent, with active responses triggering blocks on all servers. Even so, I repeated abused 1 single server and could not get the repeated_offenders timeout to trigger. Anybody with a local install that can test this, or has it working? - Original Message - From: jake 22s jake@gmail.com To: ossec-list@googlegroups.com Sent: Wednesday, December 14, 2011 6:56:47 AM Subject: Re: [ossec-list] Repeated Offenders not triggering Moving the repeated_offenders to its own block did not work for me. I don't see anything in the log on start either. Is this feature confirmed as working? Just doesn't seem to have many docs for it, would be a nice feature to use. Jake Sent using BlackBerry® from Orange -Original Message- From: Chris Warren chris.war...@netelligent.ca Sender: ossec-list@googlegroups.com Date: Tue, 13 Dec 2011 15:55:40 To: ossec-list@googlegroups.com Reply-To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Repeated Offenders not triggering Sometimes I see the same host blocked every 600 seconds (the timeout value). I tried adding the repeated_offenders list to it's own block as the documentation suggested, but then I do not see: 2011/12/12 19:39
Re: [ossec-list] Re: Repeated Offenders not triggering
Thanks for finding that. If I haven't already, I'll update the docs. On Sat, Dec 17, 2011 at 7:46 AM, c0by jake@gmail.com wrote: I did some more testing, and I am happy to say I believe this issue is SOLVED! The issue is that the repeated offenders configuration needs to be on the *agents* ossec.conf file, and *not* in the servers ossec.conf. I believe you could have it on both so it is used for both the server and agent. It can't go in the agent.conf currently which would of been nice, but it's fine for now. For more details on this see my post on this solution here: http://www.mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html Regards Jake On Dec 17, 4:57 am, Chris Warren chris.war...@netelligent.ca wrote: Good find! Thank you! Unfortunately the source is still a little over my head...just meaning that I don't have the time to right now to get in and learn. But I work regularly with a couple of different ossec server/agent groups for different clients, and can definitely help to test any code patches, and/or help with any diagnostic testing. I'd love to see this feature work, but it is by no means a deal-breaker for me. - Original Message - From: jake 22s jake@gmail.com To: ossec-list@googlegroups.com Sent: Friday, December 16, 2011 6:09:51 PM Subject: Re: [ossec-list] Repeated Offenders not triggering I can confirm that repeated_offenders *does* work on a local only install. I too run an agent / server setup with blocks going to all agents. With this setup repeated_offenders does *not* work. It says it's loaded in the start up log but it is ignored and the default ar timeout is always used. So going by your suggestion, I installed a fresh local only ossec install on a development server and it does indeed work. Looks like some code must be missing from the agent only build perhaps. Not done much testing yet, but will do more later and have a read through the source. Any of the developers know much about this? -Original Message- From: Chris Warren chris.war...@netelligent.ca Sender: ossec-list@googlegroups.com Date: Fri, 16 Dec 2011 14:41:38 To: ossec-list@googlegroups.com Reply-To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Repeated Offenders not triggering Could be that it's only working for local setups currently? I am using server/agent, with active responses triggering blocks on all servers. Even so, I repeated abused 1 single server and could not get the repeated_offenders timeout to trigger. Anybody with a local install that can test this, or has it working? - Original Message - From: jake 22s jake@gmail.com To: ossec-list@googlegroups.com Sent: Wednesday, December 14, 2011 6:56:47 AM Subject: Re: [ossec-list] Repeated Offenders not triggering Moving the repeated_offenders to its own block did not work for me. I don't see anything in the log on start either. Is this feature confirmed as working? Just doesn't seem to have many docs for it, would be a nice feature to use. Jake Sent using BlackBerry® from Orange -Original Message- From: Chris Warren chris.war...@netelligent.ca Sender: ossec-list@googlegroups.com Date: Tue, 13 Dec 2011 15:55:40 To: ossec-list@googlegroups.com Reply-To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Repeated Offenders not triggering Sometimes I see the same host blocked every 600 seconds (the timeout value). I tried adding the repeated_offenders list to it's own block as the documentation suggested, but then I do not see: 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 30 (for #1) 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 60 (for #2) 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 120 (for #3) 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 1440 (for #4) I will be doing some more testing as well, and will report back if I find a solution. - Original Message - From: dan (ddp) ddp...@gmail.com To: ossec-list@googlegroups.com Sent: Tuesday, December 13, 2011 3:46:23 PM Subject: Re: [ossec-list] Repeated Offenders not triggering Based onhttp://dcid.me/2011/02/blocking-repeated-offenders-with-ossec/ I think the repeated_offenders list should be in its own block. Example: active-response commandfirewall-drop/command locationall/location level7/level timeout600/timeout /active-response active-response repeated_offenders30,60,120,1440/repeated_offenders /active-response Again, I'm not sure and I don't know how easy this will be for me to test. On Mon, Dec 12, 2011 at 10:08 PM, Chris Warren chris.war...@netelligent.ca wrote: Hi, I'm am trying out the repeated_offenders option but it does not seem to be triggering. Here is my active response config: active-response !-- Firewall Drop response. Block the IP for - 600 seconds
[ossec-list] Re: Repeated Offenders not triggering
I did some more testing, and I am happy to say I believe this issue is SOLVED! The issue is that the repeated offenders configuration needs to be on the *agents* ossec.conf file, and *not* in the servers ossec.conf. I believe you could have it on both so it is used for both the server and agent. It can't go in the agent.conf currently which would of been nice, but it's fine for now. For more details on this see my post on this solution here: http://www.mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html Regards Jake On Dec 17, 4:57 am, Chris Warren chris.war...@netelligent.ca wrote: Good find! Thank you! Unfortunately the source is still a little over my head...just meaning that I don't have the time to right now to get in and learn. But I work regularly with a couple of different ossec server/agent groups for different clients, and can definitely help to test any code patches, and/or help with any diagnostic testing. I'd love to see this feature work, but it is by no means a deal-breaker for me. - Original Message - From: jake 22s jake@gmail.com To: ossec-list@googlegroups.com Sent: Friday, December 16, 2011 6:09:51 PM Subject: Re: [ossec-list] Repeated Offenders not triggering I can confirm that repeated_offenders *does* work on a local only install. I too run an agent / server setup with blocks going to all agents. With this setup repeated_offenders does *not* work. It says it's loaded in the start up log but it is ignored and the default ar timeout is always used. So going by your suggestion, I installed a fresh local only ossec install on a development server and it does indeed work. Looks like some code must be missing from the agent only build perhaps. Not done much testing yet, but will do more later and have a read through the source. Any of the developers know much about this? -Original Message- From: Chris Warren chris.war...@netelligent.ca Sender: ossec-list@googlegroups.com Date: Fri, 16 Dec 2011 14:41:38 To: ossec-list@googlegroups.com Reply-To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Repeated Offenders not triggering Could be that it's only working for local setups currently? I am using server/agent, with active responses triggering blocks on all servers. Even so, I repeated abused 1 single server and could not get the repeated_offenders timeout to trigger. Anybody with a local install that can test this, or has it working? - Original Message - From: jake 22s jake@gmail.com To: ossec-list@googlegroups.com Sent: Wednesday, December 14, 2011 6:56:47 AM Subject: Re: [ossec-list] Repeated Offenders not triggering Moving the repeated_offenders to its own block did not work for me. I don't see anything in the log on start either. Is this feature confirmed as working? Just doesn't seem to have many docs for it, would be a nice feature to use. Jake Sent using BlackBerry® from Orange -Original Message- From: Chris Warren chris.war...@netelligent.ca Sender: ossec-list@googlegroups.com Date: Tue, 13 Dec 2011 15:55:40 To: ossec-list@googlegroups.com Reply-To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Repeated Offenders not triggering Sometimes I see the same host blocked every 600 seconds (the timeout value). I tried adding the repeated_offenders list to it's own block as the documentation suggested, but then I do not see: 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 30 (for #1) 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 60 (for #2) 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 120 (for #3) 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 1440 (for #4) I will be doing some more testing as well, and will report back if I find a solution. - Original Message - From: dan (ddp) ddp...@gmail.com To: ossec-list@googlegroups.com Sent: Tuesday, December 13, 2011 3:46:23 PM Subject: Re: [ossec-list] Repeated Offenders not triggering Based onhttp://dcid.me/2011/02/blocking-repeated-offenders-with-ossec/ I think the repeated_offenders list should be in its own block. Example: active-response commandfirewall-drop/command locationall/location level7/level timeout600/timeout /active-response active-response repeated_offenders30,60,120,1440/repeated_offenders /active-response Again, I'm not sure and I don't know how easy this will be for me to test. On Mon, Dec 12, 2011 at 10:08 PM, Chris Warren chris.war...@netelligent.ca wrote: Hi, I'm am trying out the repeated_offenders option but it does not seem to be triggering. Here is my active response config: active-response !-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). -- commandfirewall-drop/command locationall/location level7/level
Re: [ossec-list] Re: Repeated Offenders not triggering
GREAT news! I will test this in my server/client configuration with block locationall/location. I'm hoping that the repeated_offenders timeouts on each agent will determine this from the active-response.log. Otherwise, I'd assume repeated_offenders would only be blocked per-agent. I manage my config changes with puppet so it should be a quick fix :) - Original Message - From: c0by jake@gmail.com To: ossec-list ossec-list@googlegroups.com Sent: Saturday, December 17, 2011 7:46:25 AM Subject: [ossec-list] Re: Repeated Offenders not triggering I did some more testing, and I am happy to say I believe this issue is SOLVED! The issue is that the repeated offenders configuration needs to be on the *agents* ossec.conf file, and *not* in the servers ossec.conf. I believe you could have it on both so it is used for both the server and agent. It can't go in the agent.conf currently which would of been nice, but it's fine for now. For more details on this see my post on this solution here: http://www.mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html Regards Jake On Dec 17, 4:57 am, Chris Warren chris.war...@netelligent.ca wrote: Good find! Thank you! Unfortunately the source is still a little over my head...just meaning that I don't have the time to right now to get in and learn. But I work regularly with a couple of different ossec server/agent groups for different clients, and can definitely help to test any code patches, and/or help with any diagnostic testing. I'd love to see this feature work, but it is by no means a deal-breaker for me. - Original Message - From: jake 22s jake@gmail.com To: ossec-list@googlegroups.com Sent: Friday, December 16, 2011 6:09:51 PM Subject: Re: [ossec-list] Repeated Offenders not triggering I can confirm that repeated_offenders *does* work on a local only install. I too run an agent / server setup with blocks going to all agents. With this setup repeated_offenders does *not* work. It says it's loaded in the start up log but it is ignored and the default ar timeout is always used. So going by your suggestion, I installed a fresh local only ossec install on a development server and it does indeed work. Looks like some code must be missing from the agent only build perhaps. Not done much testing yet, but will do more later and have a read through the source. Any of the developers know much about this? -Original Message- From: Chris Warren chris.war...@netelligent.ca Sender: ossec-list@googlegroups.com Date: Fri, 16 Dec 2011 14:41:38 To: ossec-list@googlegroups.com Reply-To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Repeated Offenders not triggering Could be that it's only working for local setups currently? I am using server/agent, with active responses triggering blocks on all servers. Even so, I repeated abused 1 single server and could not get the repeated_offenders timeout to trigger. Anybody with a local install that can test this, or has it working? - Original Message - From: jake 22s jake@gmail.com To: ossec-list@googlegroups.com Sent: Wednesday, December 14, 2011 6:56:47 AM Subject: Re: [ossec-list] Repeated Offenders not triggering Moving the repeated_offenders to its own block did not work for me. I don't see anything in the log on start either. Is this feature confirmed as working? Just doesn't seem to have many docs for it, would be a nice feature to use. Jake Sent using BlackBerry® from Orange -Original Message- From: Chris Warren chris.war...@netelligent.ca Sender: ossec-list@googlegroups.com Date: Tue, 13 Dec 2011 15:55:40 To: ossec-list@googlegroups.com Reply-To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Repeated Offenders not triggering Sometimes I see the same host blocked every 600 seconds (the timeout value). I tried adding the repeated_offenders list to it's own block as the documentation suggested, but then I do not see: 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 30 (for #1) 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 60 (for #2) 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 120 (for #3) 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 1440 (for #4) I will be doing some more testing as well, and will report back if I find a solution. - Original Message - From: dan (ddp) ddp...@gmail.com To: ossec-list@googlegroups.com Sent: Tuesday, December 13, 2011 3:46:23 PM Subject: Re: [ossec-list] Repeated Offenders not triggering Based onhttp://dcid.me/2011/02/blocking-repeated-offenders-with-ossec/ I think the repeated_offenders list should be in its own block. Example: active-response commandfirewall-drop/command locationall/location level7/level timeout600/timeout /active-response active-response repeated_offenders30,60,120,1440