I did some more testing, and I am happy to say I believe this issue is SOLVED!
The issue is that the repeated offenders configuration needs to be on the *agents* ossec.conf file, and *not* in the servers ossec.conf. I believe you could have it on both so it is used for both the server and agent. It can't go in the agent.conf currently which would of been nice, but it's fine for now. For more details on this see my post on this solution here: http://www.mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html Regards Jake On Dec 17, 4:57 am, Chris Warren <chris.war...@netelligent.ca> wrote: > Good find! Thank you! > > Unfortunately the source is still a little over my head...just meaning that I > don't have the time to right now to get in and learn. > > But I work regularly with a couple of different ossec server/agent groups for > different clients, and can definitely help to test any code patches, and/or > help with any diagnostic testing. > > I'd love to see this feature work, but it is by no means a deal-breaker for > me. > > > > > > > > ----- Original Message ----- > From: "jake 22s" <jake....@gmail.com> > To: ossec-list@googlegroups.com > Sent: Friday, December 16, 2011 6:09:51 PM > Subject: Re: [ossec-list] Repeated Offenders not triggering > > I can confirm that repeated_offenders *does* work on a local only install. > > I too run an agent / server setup with blocks going to all agents. With this > setup repeated_offenders does *not* work. It says it's loaded in the start up > log but it is ignored and the default ar timeout is always used. > > So going by your suggestion, I installed a fresh local only ossec install on > a development server and it does indeed work. > > Looks like some code must be missing from the agent only build perhaps. Not > done much testing yet, but will do more later and have a read through the > source. > > Any of the developers know much about this? > > -----Original Message----- > From: Chris Warren <chris.war...@netelligent.ca> > Sender: ossec-list@googlegroups.com > Date: Fri, 16 Dec 2011 14:41:38 > To: <ossec-list@googlegroups.com> > Reply-To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] Repeated Offenders not triggering > > Could be that it's only working for local setups currently? I am using > server/agent, with active responses triggering blocks on all servers. > > Even so, I repeated abused 1 single server and could not get the > repeated_offenders timeout to trigger. > > Anybody with a local install that can test this, or has it working? > > ----- Original Message ----- > From: "jake 22s" <jake....@gmail.com> > To: ossec-list@googlegroups.com > Sent: Wednesday, December 14, 2011 6:56:47 AM > Subject: Re: [ossec-list] Repeated Offenders not triggering > > Moving the repeated_offenders to its own block did not work for me. I don't > see anything in the log on start either. > > Is this feature confirmed as working? Just doesn't seem to have many docs for > it, would be a nice feature to use. > > Jake > Sent using BlackBerry® from Orange > > -----Original Message----- > From: Chris Warren <chris.war...@netelligent.ca> > Sender: ossec-list@googlegroups.com > Date: Tue, 13 Dec 2011 15:55:40 > To: <ossec-list@googlegroups.com> > Reply-To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] Repeated Offenders not triggering > > Sometimes I see the same host blocked every 600 seconds (the timeout value). > > I tried adding the repeated_offenders list to it's own block as the > documentation suggested, but then I do not see: > > 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 30 (for #1) > 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 60 (for #2) > 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 120 (for #3) > 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 1440 (for #4) > > I will be doing some more testing as well, and will report back if I find a > solution. > > ----- Original Message ----- > From: "dan (ddp)" <ddp...@gmail.com> > To: ossec-list@googlegroups.com > Sent: Tuesday, December 13, 2011 3:46:23 PM > Subject: Re: [ossec-list] Repeated Offenders not triggering > > Based onhttp://dcid.me/2011/02/blocking-repeated-offenders-with-ossec/ > I think the repeated_offenders list should be in its own block. > Example: > > <active-response> > <command>firewall-drop</command> > <location>all</location> > <level>7</level> > <timeout>600</timeout> > </active-response> > <active-response> > <repeated_offenders>30,60,120,1440</repeated_offenders> > </active-response> > > Again, I'm not sure and I don't know how easy this will be for me to test. > > On Mon, Dec 12, 2011 at 10:08 PM, Chris Warren > <chris.war...@netelligent.ca> wrote: > > Hi, > > I'm am trying out the <repeated_offenders> option but it does not seem to > > be triggering. > > > Here is my active response config: > > <active-response> > > <!-- Firewall Drop response. Block the IP for > > - 600 seconds on the firewall (iptables, > > - ipfilter, etc). > > --> > > <command>firewall-drop</command> > > <location>all</location> > > <level>7</level> > > <timeout>600</timeout> > > <repeated_offenders>30,60,120,1440</repeated_offenders> > > </active-response> > > > I also get this when restarting OSSEC: > > 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 30 (for #1) > > 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 60 (for #2) > > 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 120 (for > > #3) > > 2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 1440 (for > > #4) > > > So all appears well, however, I am seeing the same offender being unblocked > > after 600 seconds each time. > > > Thanks for any help offered. > > > Chris
