Hi,
I would like to know for how long time OSSEC "store" the blocked IP so that
it is considered as a repeated_offernder, ie once it has been unblocked
(after the first block), until how much later it will count as a
repeated_offender. For example, if IP X is blocked now, will it still count
Hi *,
I'm trying to implement a new active-response rule for a specific event (1
rule ID).
It must be implement with the tag.
Problem: I've multiple active-response rules matching this event and it
seems that OSSEC picks up the wrong one (repeater offenders are not
applied).
Any idea to debug
I am running an agent/server configuration of OSSEC. I have added the
repeated offenders configuration block to all of my agents and the server
as follows:
active-response
repeated_offenders120,180,240/repeated_offenders
/active-response
When I restart OSSEC, I do see the
All,
Back at the end of last year, I asked about using the repeated-offenders
feature
in OH. I added the following directives to ossec.conf on the host that I want
this to work in:
command
namehost-deny/name
executablehost-deny.sh/executable
expectsrcip/expect
this, or has it working?
- Original Message -
From: jake 22s jake@gmail.com
To: ossec-list@googlegroups.com
Sent: Wednesday, December 14, 2011 6:56:47 AM
Subject: Re: [ossec-list] Repeated Offenders not triggering
Moving the repeated_offenders to its own block did not work for me. I don't
of the developers know much about this?
-Original Message-
From: Chris Warren chris.war...@netelligent.ca
Sender: ossec-list@googlegroups.com
Date: Fri, 16 Dec 2011 14:41:38
To: ossec-list@googlegroups.com
Reply-To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Repeated Offenders
with a local install that can test this, or has it working?
- Original Message -
From: jake 22s jake@gmail.com
To: ossec-list@googlegroups.com
Sent: Wednesday, December 14, 2011 6:56:47 AM
Subject: Re: [ossec-list] Repeated Offenders not triggering
Moving the repeated_offenders to its own
-To: ossec-list@googlegroups.com
Subject: [ossec-list] Repeated Offenders not triggering
Hi,
I'm am trying out the repeated_offenders option but it does not seem to be
triggering.
Here is my active response config:
active-response
!-- Firewall Drop response. Block the IP for
- 600 seconds
How much time passes between the blocks?
(I don't know much about repeated_offenders, so just gathering ideas.)
On Mon, Dec 12, 2011 at 10:08 PM, Chris Warren
chris.war...@netelligent.ca wrote:
Hi,
I'm am trying out the repeated_offenders option but it does not seem to be
triggering.
Here
Based on http://dcid.me/2011/02/blocking-repeated-offenders-with-ossec/
I think the repeated_offenders list should be in its own block.
Example:
active-response
commandfirewall-drop/command
locationall/location
level7/level
timeout600/timeout
/active-response
active-response
.
- Original Message -
From: dan (ddp) ddp...@gmail.com
To: ossec-list@googlegroups.com
Sent: Tuesday, December 13, 2011 3:46:23 PM
Subject: Re: [ossec-list] Repeated Offenders not triggering
Based on http://dcid.me/2011/02/blocking-repeated-offenders-with-ossec/
I think the repeated_offenders
Hi,
I'm am trying out the repeated_offenders option but it does not seem to be
triggering.
Here is my active response config:
active-response
!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
--
12 matches
Mail list logo