Repeated Offenders not triggering
Chris Warren
I'm am trying out the <repeated_offenders> option but it does not seem to be triggering.
Here is my active response config:
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>all</location>
<level>7</level>
<timeout>600</timeout>
<repeated_offenders>30,60,120,1440</repeated_offenders>
</active-response>
I also get this when restarting OSSEC:
2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 30 (for #1)
2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 60 (for #2)
2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 120 (for #3)
2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 1440 (for #4)
So all appears well, however, I am seeing the same offender being unblocked after 600 seconds each time.
Thanks for any help offered.
Chris
jake...@gmail.com
I am running the latest release of ossec on FreeBSD 8.2
Sent using BlackBerry® from Orange
dan (ddp)
(I don't know much about repeated_offenders, so just gathering ideas.)
dan (ddp)
I think the repeated_offenders list should be in its own block.
Example:
<active-response>
<command>firewall-drop</command>
<location>all</location>
<level>7</level>
<timeout>600</timeout>
</active-response>
<active-response>
<repeated_offenders>30,60,120,1440</repeated_offenders>
</active-response>
Again, I'm not sure and I don't know how easy this will be for me to test.
On Mon, Dec 12, 2011 at 10:08 PM, Chris Warren
<chris....@netelligent.ca> wrote:
Chris Warren
I tried adding the repeated_offenders list to it's own block as the documentation suggested, but then I do not see:
2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 30 (for #1)
2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 60 (for #2)
2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 120 (for #3)
2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 1440 (for #4)
I will be doing some more testing as well, and will report back if I find a solution.
jake...@gmail.com
Is this feature confirmed as working? Just doesn't seem to have many docs for it, would be a nice feature to use.
Jake
-----Original Message-----
From: Chris Warren <chris....@netelligent.ca>
Sender: ossec...@googlegroups.com
Chris Warren
Even so, I repeated abused 1 single server and could not get the repeated_offenders timeout to trigger.
Anybody with a local install that can test this, or has it working?
jake...@gmail.com
I too run an agent / server setup with blocks going to all agents. With this setup repeated_offenders does *not* work. It says it's loaded in the start up log but it is ignored and the default ar timeout is always used.
So going by your suggestion, I installed a fresh local only ossec install on a development server and it does indeed work.
Looks like some code must be missing from the agent only build perhaps. Not done much testing yet, but will do more later and have a read through the source.
Any of the developers know much about this?
Chris Warren
Unfortunately the source is still a little over my head...just meaning that I don't have the time to right now to get in and learn.
But I work regularly with a couple of different ossec server/agent groups for different clients, and can definitely help to test any code patches, and/or help with any diagnostic testing.
I'd love to see this feature work, but it is by no means a deal-breaker for me.
c0by
SOLVED!
The issue is that the repeated offenders configuration needs to be on
the *agents* ossec.conf file, and *not* in the servers ossec.conf. I
believe you could have it on both so it is used for both the server
and agent. It can't go in the agent.conf currently which would of been
nice, but it's fine for now.
For more details on this see my post on this solution here:
http://www.mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html
Regards
Jake
> Based onhttp://dcid.me/2011/02/blocking-repeated-offenders-with-ossec/
Chris Warren
I will test this in my server/client configuration with block <location>all</location>. I'm hoping that the repeated_offenders timeouts on each agent will determine this from the active-response.log. Otherwise, I'd assume repeated_offenders would only be blocked per-agent.
I manage my config changes with puppet so it should be a quick fix :)
dan (ddp)
Chris Warren
So to re-cap and clarify on Jake's discovery, the repeated_offenders block goes on the AGENTS' ossec.conf file. Also important is that the repeated_offenders block is NOT on the server's ossec.conf (I had repeated offenders in each active response block, and the agents were ignoring the initial timeout and going right to the first repeated_offenders value).
Also this seems to work across the whole network. I.E. if 1 machine gets a brute-force attack and the active response triggers, and later a different machine gets attacked by the same source, it will go to repeated_offenders :)
Thanks again, Jake, for the tested you did with this, and thanks Dan for updating the docs :)
----- Original Message -----
From: "Chris Warren" <chris....@netelligent.ca>
To: ossec...@googlegroups.com
Sent: Saturday, December 17, 2011 10:37:41 AM
Subject: Re: [ossec-list] Re: Repeated Offenders not triggering
GREAT news!
I will test this in my server/client configuration with block <location>all</location>. I'm hoping that the repeated_offenders timeouts on each agent will determine this from the active-response.log. Otherwise, I'd assume repeated_offenders would only be blocked per-agent.
I manage my config changes with puppet so it should be a quick fix :)
----- Original Message -----
From: "c0by" <jake...@gmail.com>
To: "ossec-list" <ossec...@googlegroups.com>
Sent: Saturday, December 17, 2011 7:46:25 AM