Repeated offenders?

[Xavier Mertens]

Hi *,

I'm trying to implement a new active-response rule for a specific event (1 rule ID).

It must be implement with the <repeated_offenders> tag.

Problem: I've multiple active-response rules matching this event and it seems that OSSEC picks up the wrong one (repeater offenders are not applied).

Any idea to debug this? The rule is:

<active-response>

    <command>firewall-drop-aggressive</command>

    <location>local</location>

    <timeout>600</timeout>

    <rules_id>xxx</rules_id>

    <repeated_offenders>30,60,120,240,480</repeated_offenders>

  </active-response>

/x

[Jesus Linares]

Hi,

I guess that your command needs an IP, so if your rule xxx doesn't have the field srcip extracted (by the proper decoder) the active-response will not work.

Also, keep in mind that repeated_offenders must be in ossec.conf of every agent (shared/agent.conf or manager/ossec.conf are not valid).

Regards.

[Xavier Mertens]

Thanks for the tips! I'll test again following your advices...

/x

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Xavier Mertens]

Hi Jesus, 

It worked much better! Kicking out offenders more and more now :-)

My Google-fu was also better yesterday and I found this blog post:

https://mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html

/x

[Jesus Linares]

I'm glad to help. Also, I wrote a post about blocking attacks with active response (including repeated offenders configuration): http://blog.wazuh.com/blocking-attacks-active-response/

I hope you find it interesting.

Regards.