Hi *,
I'm trying to implement a new active-response rule for a specific event (1 rule ID).
It must be implement with the <repeated_offenders> tag.
Problem: I've multiple active-response rules matching this event and it seems that OSSEC picks up the wrong one (repeater offenders are not applied).
Any idea to debug this? The rule is:
<active-response>
<command>firewall-drop-aggressive</command>
<location>local</location>
<timeout>600</timeout>
<rules_id>xxx</rules_id>
<repeated_offenders>30,60,120,240,480</repeated_offenders>
</active-response>
/x