[ossec-list] Re: Repeated offenders - timeout of IP count

[Bill Price]

If you look in the logs directory on the clients, it will show you the 
commands that are run to add and remove ips.  
On Friday, March 23, 2018 at 10:20:54 AM UTC-4, Ricardo Almeida wrote:
>
> Hi,
>
> I would like to know for how long time OSSEC "store" the blocked IP so 
> that it is considered as a repeated_offernder, ie once it has been 
> unblocked (after the first block), until how much later it will count as a 
> repeated_offender. For example, if IP X is blocked now, will it still 
> count as repated_offender tomorrow? And, what action that clear the count 
> by IP, only the restart of the ossec-server service?
>
> Thank you!
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Repeated offenders - timeout of IP count

[Bill Price]

By default, 10 minutes.  But you can change it.

Add this to the ossec.conf on the client machines.  The values are in 
seconds and you can adjust them


  600,3600,7200, 14400




On Friday, March 23, 2018 at 10:20:54 AM UTC-4, Ricardo Almeida wrote:
>
> Hi,
>
> I would like to know for how long time OSSEC "store" the blocked IP so 
> that it is considered as a repeated_offernder, ie once it has been 
> unblocked (after the first block), until how much later it will count as a 
> repeated_offender. For example, if IP X is blocked now, will it still 
> count as repated_offender tomorrow? And, what action that clear the count 
> by IP, only the restart of the ossec-server service?
>
> Thank you!
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Repeated offenders?

[Xavier Mertens]

Hi Jesus,
It worked much better! Kicking out offenders more and more now :-)
My Google-fu was also better yesterday and I found this blog post:
https://mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html

/x


On Thu, May 19, 2016 at 10:11 AM, Xavier Mertens 
wrote:

> Thanks for the tips! I'll test again following your advices...
>
> /x
>
> On Thu, May 19, 2016 at 9:33 AM, Jesus Linares  wrote:
>
>> Hi,
>>
>> I guess that your command needs an IP, so if your rule *xxx *doesn't
>> have the field *srcip *extracted (by the proper decoder) the
>> active-response will not work.
>>
>> Also, keep in mind that *repeated_offenders *must be in* ossec.conf* of 
>> *every
>> agent* (*shared/agent.conf* or *manager/ossec.conf* are not valid).
>>
>> Regards.
>>
>> On Thursday, May 19, 2016 at 8:42:29 AM UTC+2, Xme wrote:
>>>
>>> Hi *,
>>>
>>> I'm trying to implement a new active-response rule for a specific event
>>> (1 rule ID).
>>> It must be implement with the  tag.
>>>
>>> Problem: I've multiple active-response rules matching this event and it
>>> seems that OSSEC picks up the wrong one (repeater offenders are not
>>> applied).
>>>
>>> Any idea to debug this? The rule is:
>>>
>>> 
>>> firewall-drop-aggressive
>>> local
>>> 600
>>> xxx
>>> 30,60,120,240,480
>>>   
>>>
>>> /x
>>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Repeated offenders?

[Xavier Mertens]

Thanks for the tips! I'll test again following your advices...

/x

On Thu, May 19, 2016 at 9:33 AM, Jesus Linares  wrote:

> Hi,
>
> I guess that your command needs an IP, so if your rule *xxx *doesn't have
> the field *srcip *extracted (by the proper decoder) the active-response
> will not work.
>
> Also, keep in mind that *repeated_offenders *must be in* ossec.conf* of *every
> agent* (*shared/agent.conf* or *manager/ossec.conf* are not valid).
>
> Regards.
>
> On Thursday, May 19, 2016 at 8:42:29 AM UTC+2, Xme wrote:
>>
>> Hi *,
>>
>> I'm trying to implement a new active-response rule for a specific event
>> (1 rule ID).
>> It must be implement with the  tag.
>>
>> Problem: I've multiple active-response rules matching this event and it
>> seems that OSSEC picks up the wrong one (repeater offenders are not
>> applied).
>>
>> Any idea to debug this? The rule is:
>>
>> 
>> firewall-drop-aggressive
>> local
>> 600
>> xxx
>> 30,60,120,240,480
>>   
>>
>> /x
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Repeated offenders?

[Jesus Linares]

Hi,

I guess that your command needs an IP, so if your rule *xxx *doesn't have 
the field *srcip *extracted (by the proper decoder) the active-response 
will not work.

Also, keep in mind that *repeated_offenders *must be in* ossec.conf* of *every 
agent* (*shared/agent.conf* or *manager/ossec.conf* are not valid).

Regards.

On Thursday, May 19, 2016 at 8:42:29 AM UTC+2, Xme wrote:
>
> Hi *,
>
> I'm trying to implement a new active-response rule for a specific event (1 
> rule ID).
> It must be implement with the  tag.
>
> Problem: I've multiple active-response rules matching this event and it 
> seems that OSSEC picks up the wrong one (repeater offenders are not 
> applied).
>
> Any idea to debug this? The rule is:
>
> 
> firewall-drop-aggressive
> local
> 600
> xxx
> 30,60,120,240,480
>   
>
> /x
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Repeated-offenders still not working

[Steven Stern]

On 03/12/2012 10:49 AM, Dimitri Yioulos wrote:
 Anyone have any ideas on this?
 
 
 All,

 Back at the end of last year, I asked about using the repeated-offenders 
 feature  
 in OH.  I added the following directives to ossec.conf on the host that I 
 want 
 this to work in:

   command
 namehost-deny/name
 executablehost-deny.sh/executable
 expectsrcip/expect
 timeout_allowedyes/timeout_allowed
   /command

   active-response
 !-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) = 6.
- The IP is going to be blocked for  600 seconds.
   --
 commandhost-deny/command
 locationlocal/location
 level6/level
 timeout600/timeout
   /active-response

 Despite that, it's not working.  Ossec reports the following:

 OSSEC HIDS Notification.
 2012 Mar 07 09:08:16

 Received From: (plymouth) 192.168.1.2-/var/log/messages
 Rule: 40111 fired (level 10) - Multiple authentication failures.
 Portion of the log(s):

 Mar  7 09:07:44 plymouth ipop3d[29926]: Login failed user=hod auth=hod 
 host=201-93-132-240.dsl.telesp.net.br [201.93.132.240]
 ...

 However, rather than OH invoking repeated-offenders, and blocking the 
 offender 
 for 600 seconds, I continue to see the offender make attempts on the host.

 What am I missing here?


Can you get onto the server when the block should be in effect?

If so, what do you see in /etc/hosts.deny and from iptables -L?

At the time the blocks should be taking place, do you see anything in
/var/log/messages or /var/ossec/logs/active-responses.log?

Are you running SELinux in enforcing mode?


-- 
-- Steve

Re: [ossec-list] Re: Repeated-offenders still not working

[Dimitri Yioulos]

On Monday 12 March 2012 12:24:47 pm Steven Stern wrote:
 On 03/12/2012 10:49 AM, Dimitri Yioulos wrote:
  Anyone have any ideas on this?
 
  All,
 
  Back at the end of last year, I asked about using the repeated-offenders
  feature
  in OH.  I added the following directives to ossec.conf on the host that
  I want this to work in:
 
command
  namehost-deny/name
  executablehost-deny.sh/executable
  expectsrcip/expect
  timeout_allowedyes/timeout_allowed
/command
 
active-response
  !-- This response is going to execute the host-deny
 - command for every event that fires a rule with
 - level (severity) = 6.
 - The IP is going to be blocked for  600 seconds.
--
  commandhost-deny/command
  locationlocal/location
  level6/level
  timeout600/timeout
/active-response
 
  Despite that, it's not working.  Ossec reports the following:
 
  OSSEC HIDS Notification.
  2012 Mar 07 09:08:16
 
  Received From: (plymouth) 192.168.1.2-/var/log/messages
  Rule: 40111 fired (level 10) - Multiple authentication failures.
  Portion of the log(s):
 
  Mar  7 09:07:44 plymouth ipop3d[29926]: Login failed user=hod auth=hod
  host=201-93-132-240.dsl.telesp.net.br [201.93.132.240]
  ...
 
  However, rather than OH invoking repeated-offenders, and blocking the
  offender for 600 seconds, I continue to see the offender make attempts
  on the host.
 
  What am I missing here?

 Can you get onto the server when the block should be in effect?

 If so, what do you see in /etc/hosts.deny and from iptables -L?

 At the time the blocks should be taking place, do you see anything in
 /var/log/messages or /var/ossec/logs/active-responses.log?

 Are you running SELinux in enforcing mode?


 --
 -- Steve


Steve,

Thanks for your response.  By grepping for the offending IP addy 
in /var/ossec/logs/active-responses.log, I saw that host-deny.sh add 
and firewall-drop.sh  add were fired.  Ten minutes later, host-deny.sh 
delete and firewall-drop.sh  delete were fired.  So, it appears that 
repeated-offenders is working.  I just didn't know where to look.  I guess I'd 
like an email notification when the blocks/unblocks are fired.  How/where do I 
enable that?

Again, thanks.

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: [ossec-list] Re: Repeated-offenders still not working

[Steven Stern]

On 03/12/2012 11:53 AM, Dimitri Yioulos wrote:
 On Monday 12 March 2012 12:24:47 pm Steven Stern wrote:
 On 03/12/2012 10:49 AM, Dimitri Yioulos wrote:
 Anyone have any ideas on this?

 All,

 Back at the end of last year, I asked about using the repeated-offenders
 feature
 in OH.  I added the following directives to ossec.conf on the host that
 I want this to work in:

   command
 namehost-deny/name
 executablehost-deny.sh/executable
 expectsrcip/expect
 timeout_allowedyes/timeout_allowed
   /command

   active-response
 !-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) = 6.
- The IP is going to be blocked for  600 seconds.
   --
 commandhost-deny/command
 locationlocal/location
 level6/level
 timeout600/timeout
   /active-response

 Despite that, it's not working.  Ossec reports the following:

 OSSEC HIDS Notification.
 2012 Mar 07 09:08:16

 Received From: (plymouth) 192.168.1.2-/var/log/messages
 Rule: 40111 fired (level 10) - Multiple authentication failures.
 Portion of the log(s):

 Mar  7 09:07:44 plymouth ipop3d[29926]: Login failed user=hod auth=hod
 host=201-93-132-240.dsl.telesp.net.br [201.93.132.240]
 ...

 However, rather than OH invoking repeated-offenders, and blocking the
 offender for 600 seconds, I continue to see the offender make attempts
 on the host.

 What am I missing here?

 Can you get onto the server when the block should be in effect?

 If so, what do you see in /etc/hosts.deny and from iptables -L?

 At the time the blocks should be taking place, do you see anything in
 /var/log/messages or /var/ossec/logs/active-responses.log?

 Are you running SELinux in enforcing mode?


 --
 -- Steve
 
 
 Steve,
 
 Thanks for your response.  By grepping for the offending IP addy 
 in /var/ossec/logs/active-responses.log, I saw that host-deny.sh add 
 and firewall-drop.sh  add were fired.  Ten minutes later, host-deny.sh 
 delete and firewall-drop.sh  delete were fired.  So, it appears that 
 repeated-offenders is working.  I just didn't know where to look.  I guess 
 I'd 
 like an email notification when the blocks/unblocks are fired.  How/where do 
 I 
 enable that?

I think this is what you want.  By the way, if you're playing with rules
that lock people out, be sure to whitelist your own IP first.

http://itscblog.tamu.edu/ossec-email-alerts-on-active-responses/

http://www.ossec.net/wiki/Know_How:White_list


-- 
-- Steve

Re: [ossec-list] Re: Repeated Offenders not triggering

[Chris Warren]

Confirmed.

So to re-cap and clarify on Jake's discovery, the repeated_offenders block goes 
on the AGENTS' ossec.conf file.  Also important is that the repeated_offenders 
block is NOT on the server's ossec.conf (I had repeated offenders in each 
active response block, and the agents were ignoring the initial timeout and 
going right to the first repeated_offenders value).

Also this seems to work across the whole network.  I.E. if 1 machine gets a 
brute-force attack and the active response triggers, and later a different 
machine gets attacked by the same source, it will go to repeated_offenders :)

Thanks again, Jake, for the tested you did with this, and thanks Dan for 
updating the docs :)

- Original Message -
From: Chris Warren chris.war...@netelligent.ca
To: ossec-list@googlegroups.com
Sent: Saturday, December 17, 2011 10:37:41 AM
Subject: Re: [ossec-list] Re: Repeated Offenders not triggering


GREAT news!

I will test this in my server/client configuration with block 
locationall/location.  I'm hoping that the repeated_offenders timeouts on 
each agent will determine this from the active-response.log.  Otherwise, I'd 
assume repeated_offenders would only be blocked per-agent.

I manage my config changes with puppet so it should be a quick fix :)

- Original Message -
From: c0by jake@gmail.com
To: ossec-list ossec-list@googlegroups.com
Sent: Saturday, December 17, 2011 7:46:25 AM
Subject: [ossec-list] Re: Repeated Offenders not triggering


I did some more testing, and I am happy to say I believe this issue is
SOLVED!

The issue is that the repeated offenders configuration needs to be on
the *agents* ossec.conf file, and *not* in the servers ossec.conf. I
believe you could have it on both so it is used for both the server
and agent. It can't go in the agent.conf currently which would of been
nice, but it's fine for now.

For more details on this see my post on this solution here:
http://www.mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html

Regards
Jake

On Dec 17, 4:57 am, Chris Warren chris.war...@netelligent.ca wrote:
 Good find!  Thank you!

 Unfortunately the source is still a little over my head...just meaning that I 
 don't have the time to right now to get in and learn.

 But I work regularly with a couple of different ossec server/agent groups for 
 different clients, and can definitely help to test any code patches, and/or 
 help with any diagnostic testing.

 I'd love to see this feature work, but it is by no means a deal-breaker for 
 me.







 - Original Message -
 From: jake 22s jake@gmail.com
 To: ossec-list@googlegroups.com
 Sent: Friday, December 16, 2011 6:09:51 PM
 Subject: Re: [ossec-list] Repeated Offenders not triggering

 I can confirm that repeated_offenders *does* work on a local only install.

 I too run an agent / server setup with blocks going to all agents. With this 
 setup repeated_offenders does *not* work. It says it's loaded in the start up 
 log but it is ignored and the default ar timeout is always used.

 So going by your suggestion, I installed a fresh local only ossec install on 
 a development server and it does indeed work.

 Looks like some code must be missing from the agent only build perhaps. Not 
 done much testing yet, but will do more later and have a read through the 
 source.

 Any of the developers know much about this?

 -Original Message-
 From: Chris Warren chris.war...@netelligent.ca
 Sender: ossec-list@googlegroups.com
 Date: Fri, 16 Dec 2011 14:41:38
 To: ossec-list@googlegroups.com
 Reply-To: ossec-list@googlegroups.com
 Subject: Re: [ossec-list] Repeated Offenders not triggering

 Could be that it's only working for local setups currently?  I am using 
 server/agent, with active responses triggering blocks on all servers.

 Even so, I repeated abused 1 single server and could not get the 
 repeated_offenders timeout to trigger.

 Anybody with a local install that can test this, or has it working?

 - Original Message -
 From: jake 22s jake@gmail.com
 To: ossec-list@googlegroups.com
 Sent: Wednesday, December 14, 2011 6:56:47 AM
 Subject: Re: [ossec-list] Repeated Offenders not triggering

 Moving the repeated_offenders to its own block did not work for me. I don't 
 see anything in the log on start either.

 Is this feature confirmed as working? Just doesn't seem to have many docs for 
 it, would be a nice feature to use.

 Jake
 Sent using BlackBerry® from Orange

 -Original Message-
 From: Chris Warren chris.war...@netelligent.ca
 Sender: ossec-list@googlegroups.com
 Date: Tue, 13 Dec 2011 15:55:40
 To: ossec-list@googlegroups.com
 Reply-To: ossec-list@googlegroups.com
 Subject: Re: [ossec-list] Repeated Offenders not triggering

 Sometimes I see the same host blocked every 600 seconds (the timeout value).

 I tried adding the repeated_offenders list to it's own block as the 
 documentation suggested, but then I do not see:

 2011/12/12 19:39

Re: [ossec-list] Re: Repeated Offenders not triggering

[dan (ddp)]

Thanks for finding that. If I haven't already, I'll update the docs.

On Sat, Dec 17, 2011 at 7:46 AM, c0by jake@gmail.com wrote:
 I did some more testing, and I am happy to say I believe this issue is
 SOLVED!

 The issue is that the repeated offenders configuration needs to be on
 the *agents* ossec.conf file, and *not* in the servers ossec.conf. I
 believe you could have it on both so it is used for both the server
 and agent. It can't go in the agent.conf currently which would of been
 nice, but it's fine for now.

 For more details on this see my post on this solution here:
 http://www.mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html

 Regards
 Jake

 On Dec 17, 4:57 am, Chris Warren chris.war...@netelligent.ca wrote:
 Good find!  Thank you!

 Unfortunately the source is still a little over my head...just meaning that 
 I don't have the time to right now to get in and learn.

 But I work regularly with a couple of different ossec server/agent groups 
 for different clients, and can definitely help to test any code patches, 
 and/or help with any diagnostic testing.

 I'd love to see this feature work, but it is by no means a deal-breaker for 
 me.







 - Original Message -
 From: jake 22s jake@gmail.com
 To: ossec-list@googlegroups.com
 Sent: Friday, December 16, 2011 6:09:51 PM
 Subject: Re: [ossec-list] Repeated Offenders not triggering

 I can confirm that repeated_offenders *does* work on a local only install.

 I too run an agent / server setup with blocks going to all agents. With this 
 setup repeated_offenders does *not* work. It says it's loaded in the start 
 up log but it is ignored and the default ar timeout is always used.

 So going by your suggestion, I installed a fresh local only ossec install on 
 a development server and it does indeed work.

 Looks like some code must be missing from the agent only build perhaps. Not 
 done much testing yet, but will do more later and have a read through the 
 source.

 Any of the developers know much about this?

 -Original Message-
 From: Chris Warren chris.war...@netelligent.ca
 Sender: ossec-list@googlegroups.com
 Date: Fri, 16 Dec 2011 14:41:38
 To: ossec-list@googlegroups.com
 Reply-To: ossec-list@googlegroups.com
 Subject: Re: [ossec-list] Repeated Offenders not triggering

 Could be that it's only working for local setups currently?  I am using 
 server/agent, with active responses triggering blocks on all servers.

 Even so, I repeated abused 1 single server and could not get the 
 repeated_offenders timeout to trigger.

 Anybody with a local install that can test this, or has it working?

 - Original Message -
 From: jake 22s jake@gmail.com
 To: ossec-list@googlegroups.com
 Sent: Wednesday, December 14, 2011 6:56:47 AM
 Subject: Re: [ossec-list] Repeated Offenders not triggering

 Moving the repeated_offenders to its own block did not work for me. I don't 
 see anything in the log on start either.

 Is this feature confirmed as working? Just doesn't seem to have many docs 
 for it, would be a nice feature to use.

 Jake
 Sent using BlackBerry® from Orange

 -Original Message-
 From: Chris Warren chris.war...@netelligent.ca
 Sender: ossec-list@googlegroups.com
 Date: Tue, 13 Dec 2011 15:55:40
 To: ossec-list@googlegroups.com
 Reply-To: ossec-list@googlegroups.com
 Subject: Re: [ossec-list] Repeated Offenders not triggering

 Sometimes I see the same host blocked every 600 seconds (the timeout value).

 I tried adding the repeated_offenders list to it's own block as the 
 documentation suggested, but then I do not see:

 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 30 (for #1)
 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 60 (for #2)
 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 120 (for #3)
 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 1440 (for 
 #4)

 I will be doing some more testing as well, and will report back if I find a 
 solution.

 - Original Message -
 From: dan (ddp) ddp...@gmail.com
 To: ossec-list@googlegroups.com
 Sent: Tuesday, December 13, 2011 3:46:23 PM
 Subject: Re: [ossec-list] Repeated Offenders not triggering

 Based onhttp://dcid.me/2011/02/blocking-repeated-offenders-with-ossec/
 I think the repeated_offenders list should be in its own block.
 Example:

 active-response
   commandfirewall-drop/command
   locationall/location
   level7/level
   timeout600/timeout
 /active-response
 active-response
   repeated_offenders30,60,120,1440/repeated_offenders
 /active-response

 Again, I'm not sure and I don't know how easy this will be for me to test.

 On Mon, Dec 12, 2011 at 10:08 PM, Chris Warren
 chris.war...@netelligent.ca wrote:
  Hi,
  I'm am trying out the repeated_offenders option but it does not seem to 
  be triggering.

  Here is my active response config:
   active-response
     !-- Firewall Drop response. Block the IP for
        - 600 seconds 

[ossec-list] Re: Repeated Offenders not triggering

[c0by]

I did some more testing, and I am happy to say I believe this issue is
SOLVED!

The issue is that the repeated offenders configuration needs to be on
the *agents* ossec.conf file, and *not* in the servers ossec.conf. I
believe you could have it on both so it is used for both the server
and agent. It can't go in the agent.conf currently which would of been
nice, but it's fine for now.

For more details on this see my post on this solution here:
http://www.mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html

Regards
Jake

On Dec 17, 4:57 am, Chris Warren chris.war...@netelligent.ca wrote:
 Good find!  Thank you!

 Unfortunately the source is still a little over my head...just meaning that I 
 don't have the time to right now to get in and learn.

 But I work regularly with a couple of different ossec server/agent groups for 
 different clients, and can definitely help to test any code patches, and/or 
 help with any diagnostic testing.

 I'd love to see this feature work, but it is by no means a deal-breaker for 
 me.







 - Original Message -
 From: jake 22s jake@gmail.com
 To: ossec-list@googlegroups.com
 Sent: Friday, December 16, 2011 6:09:51 PM
 Subject: Re: [ossec-list] Repeated Offenders not triggering

 I can confirm that repeated_offenders *does* work on a local only install.

 I too run an agent / server setup with blocks going to all agents. With this 
 setup repeated_offenders does *not* work. It says it's loaded in the start up 
 log but it is ignored and the default ar timeout is always used.

 So going by your suggestion, I installed a fresh local only ossec install on 
 a development server and it does indeed work.

 Looks like some code must be missing from the agent only build perhaps. Not 
 done much testing yet, but will do more later and have a read through the 
 source.

 Any of the developers know much about this?

 -Original Message-
 From: Chris Warren chris.war...@netelligent.ca
 Sender: ossec-list@googlegroups.com
 Date: Fri, 16 Dec 2011 14:41:38
 To: ossec-list@googlegroups.com
 Reply-To: ossec-list@googlegroups.com
 Subject: Re: [ossec-list] Repeated Offenders not triggering

 Could be that it's only working for local setups currently?  I am using 
 server/agent, with active responses triggering blocks on all servers.

 Even so, I repeated abused 1 single server and could not get the 
 repeated_offenders timeout to trigger.

 Anybody with a local install that can test this, or has it working?

 - Original Message -
 From: jake 22s jake@gmail.com
 To: ossec-list@googlegroups.com
 Sent: Wednesday, December 14, 2011 6:56:47 AM
 Subject: Re: [ossec-list] Repeated Offenders not triggering

 Moving the repeated_offenders to its own block did not work for me. I don't 
 see anything in the log on start either.

 Is this feature confirmed as working? Just doesn't seem to have many docs for 
 it, would be a nice feature to use.

 Jake
 Sent using BlackBerry® from Orange

 -Original Message-
 From: Chris Warren chris.war...@netelligent.ca
 Sender: ossec-list@googlegroups.com
 Date: Tue, 13 Dec 2011 15:55:40
 To: ossec-list@googlegroups.com
 Reply-To: ossec-list@googlegroups.com
 Subject: Re: [ossec-list] Repeated Offenders not triggering

 Sometimes I see the same host blocked every 600 seconds (the timeout value).

 I tried adding the repeated_offenders list to it's own block as the 
 documentation suggested, but then I do not see:

 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 30 (for #1)
 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 60 (for #2)
 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 120 (for #3)
 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 1440 (for #4)

 I will be doing some more testing as well, and will report back if I find a 
 solution.

 - Original Message -
 From: dan (ddp) ddp...@gmail.com
 To: ossec-list@googlegroups.com
 Sent: Tuesday, December 13, 2011 3:46:23 PM
 Subject: Re: [ossec-list] Repeated Offenders not triggering

 Based onhttp://dcid.me/2011/02/blocking-repeated-offenders-with-ossec/
 I think the repeated_offenders list should be in its own block.
 Example:

 active-response
   commandfirewall-drop/command
   locationall/location
   level7/level
   timeout600/timeout
 /active-response
 active-response
   repeated_offenders30,60,120,1440/repeated_offenders
 /active-response

 Again, I'm not sure and I don't know how easy this will be for me to test.

 On Mon, Dec 12, 2011 at 10:08 PM, Chris Warren
 chris.war...@netelligent.ca wrote:
  Hi,
  I'm am trying out the repeated_offenders option but it does not seem to 
  be triggering.

  Here is my active response config:
   active-response
     !-- Firewall Drop response. Block the IP for
        - 600 seconds on the firewall (iptables,
        - ipfilter, etc).
       --
     commandfirewall-drop/command
     locationall/location
     level7/level
     

Re: [ossec-list] Re: Repeated Offenders not triggering

[Chris Warren]

GREAT news!

I will test this in my server/client configuration with block 
locationall/location.  I'm hoping that the repeated_offenders timeouts on 
each agent will determine this from the active-response.log.  Otherwise, I'd 
assume repeated_offenders would only be blocked per-agent.

I manage my config changes with puppet so it should be a quick fix :)

- Original Message -
From: c0by jake@gmail.com
To: ossec-list ossec-list@googlegroups.com
Sent: Saturday, December 17, 2011 7:46:25 AM
Subject: [ossec-list] Re: Repeated Offenders not triggering


I did some more testing, and I am happy to say I believe this issue is
SOLVED!

The issue is that the repeated offenders configuration needs to be on
the *agents* ossec.conf file, and *not* in the servers ossec.conf. I
believe you could have it on both so it is used for both the server
and agent. It can't go in the agent.conf currently which would of been
nice, but it's fine for now.

For more details on this see my post on this solution here:
http://www.mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html

Regards
Jake

On Dec 17, 4:57 am, Chris Warren chris.war...@netelligent.ca wrote:
 Good find!  Thank you!

 Unfortunately the source is still a little over my head...just meaning that I 
 don't have the time to right now to get in and learn.

 But I work regularly with a couple of different ossec server/agent groups for 
 different clients, and can definitely help to test any code patches, and/or 
 help with any diagnostic testing.

 I'd love to see this feature work, but it is by no means a deal-breaker for 
 me.







 - Original Message -
 From: jake 22s jake@gmail.com
 To: ossec-list@googlegroups.com
 Sent: Friday, December 16, 2011 6:09:51 PM
 Subject: Re: [ossec-list] Repeated Offenders not triggering

 I can confirm that repeated_offenders *does* work on a local only install.

 I too run an agent / server setup with blocks going to all agents. With this 
 setup repeated_offenders does *not* work. It says it's loaded in the start up 
 log but it is ignored and the default ar timeout is always used.

 So going by your suggestion, I installed a fresh local only ossec install on 
 a development server and it does indeed work.

 Looks like some code must be missing from the agent only build perhaps. Not 
 done much testing yet, but will do more later and have a read through the 
 source.

 Any of the developers know much about this?

 -Original Message-
 From: Chris Warren chris.war...@netelligent.ca
 Sender: ossec-list@googlegroups.com
 Date: Fri, 16 Dec 2011 14:41:38
 To: ossec-list@googlegroups.com
 Reply-To: ossec-list@googlegroups.com
 Subject: Re: [ossec-list] Repeated Offenders not triggering

 Could be that it's only working for local setups currently?  I am using 
 server/agent, with active responses triggering blocks on all servers.

 Even so, I repeated abused 1 single server and could not get the 
 repeated_offenders timeout to trigger.

 Anybody with a local install that can test this, or has it working?

 - Original Message -
 From: jake 22s jake@gmail.com
 To: ossec-list@googlegroups.com
 Sent: Wednesday, December 14, 2011 6:56:47 AM
 Subject: Re: [ossec-list] Repeated Offenders not triggering

 Moving the repeated_offenders to its own block did not work for me. I don't 
 see anything in the log on start either.

 Is this feature confirmed as working? Just doesn't seem to have many docs for 
 it, would be a nice feature to use.

 Jake
 Sent using BlackBerry® from Orange

 -Original Message-
 From: Chris Warren chris.war...@netelligent.ca
 Sender: ossec-list@googlegroups.com
 Date: Tue, 13 Dec 2011 15:55:40
 To: ossec-list@googlegroups.com
 Reply-To: ossec-list@googlegroups.com
 Subject: Re: [ossec-list] Repeated Offenders not triggering

 Sometimes I see the same host blocked every 600 seconds (the timeout value).

 I tried adding the repeated_offenders list to it's own block as the 
 documentation suggested, but then I do not see:

 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 30 (for #1)
 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 60 (for #2)
 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 120 (for #3)
 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 1440 (for #4)

 I will be doing some more testing as well, and will report back if I find a 
 solution.

 - Original Message -
 From: dan (ddp) ddp...@gmail.com
 To: ossec-list@googlegroups.com
 Sent: Tuesday, December 13, 2011 3:46:23 PM
 Subject: Re: [ossec-list] Repeated Offenders not triggering

 Based onhttp://dcid.me/2011/02/blocking-repeated-offenders-with-ossec/
 I think the repeated_offenders list should be in its own block.
 Example:

 active-response
   commandfirewall-drop/command
   locationall/location
   level7/level
   timeout600/timeout
 /active-response
 active-response
   repeated_offenders30,60,120,1440