[ossec-list] Active responses stopped working

2016-09-08 Thread Ole Jakob Skjelten
Hi, Having fiddled perhaps a bit too much with the setup of OSSEC, my active responses on my server stopped working last night, and I'm unable to pinpoint the problem.I unfortunately, even with debug enabled, see any errors in ossec.log, and I'm quite unsure how to go about debugging this. If

Re: [ossec-list] active-responses not running for ipv6 addresses?

2015-11-27 Thread dan (ddp)
On Thu, Nov 26, 2015 at 6:44 PM, Graeme Coates wrote: > Hi, > > Am running OSSEC 2.8.3-3jessie (from the alientvault.com repo) > > I'm trying to test active-response rules for a Wordpress install - > specifically to add source IPs as DROP rules in iptables where they

[ossec-list] active-responses not running for ipv6 addresses?

2015-11-26 Thread Graeme Coates
Hi, Am running OSSEC 2.8.3-3jessie (from the alientvault.com repo) I'm trying to test active-response rules for a Wordpress install - specifically to add source IPs as DROP rules in iptables where they have multiple authentication issues, or where they are trying to brute force via XMLRPC

[ossec-list] Active Responses Slow

2014-05-30 Thread BP9906
I've been watching active responses lately and it seems like they dont always generate an active response. I have the settings properly but I would say the actual active response triggers about 25% of the time. I say that because the alerts.log (and respective emails in my inbox) indicate the

Re: [ossec-list] Active Responses Slow

2014-05-30 Thread Jeremy Rossi
* BP9906 crazi...@gmail.com [2014-05-30 14:42:09 -0700]: I've been watching active responses lately and it seems like they dont always generate an active response. I have the settings properly but I would say the actual active response triggers about 25% of the time. I say that because the

[ossec-list] Active Responses triggered but no events logged

2011-06-09 Thread treydock
Today my campus' vulnerability scanner was blocked by OSSEC. That I expected, but what I didn't expect was there to be no log entries of WHAT triggered the active response. My config for host-deny and firewall-drop is set to level 6, yet I can't find in any logs what event triggered the active

Re: [ossec-list] Active Responses triggered but no events logged

2011-06-09 Thread Jason 'XenoPhage' Frisvold
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/09/2011 12:54 AM, treydock wrote: Looking at Rule #5706 this is Level 6 so it correctly triggered an active response. However I'm concerned as to why OSSEC didn't log an alert or anything besides the active-response. What more are you

Re: [ossec-list] Active Responses triggered but no events logged

2011-06-09 Thread dan (ddp)
On Thu, Jun 9, 2011 at 12:54 AM, treydock treyd...@gmail.com wrote: Today my campus' vulnerability scanner was blocked by OSSEC.  That I expected, but what I didn't expect was there to be no log entries of WHAT triggered the active response.  My config for host-deny and firewall-drop is set to

[ossec-list] Active responses timing out earlier than configured

2010-06-25 Thread tm
Hello, We have our active responses set to time out af 86,400 seconds (24 hours). However, I notice that they are timing out after only 20 hours. Can OSSEC only handle a fixed number of current active responses at one time so that it immediately expires current active responses in order to make

RE: [ossec-list] Active Responses

2010-04-27 Thread Eric Biondi
Hi Daniel, Thank you, I was able to get that working. Eric - Original Message - From: Daniel Cid daniel@gmail.com To: ossec-list@googlegroups.com Sent: Monday, April 26, 2010 10:12:52 AM Subject: Re: [ossec-list] Active Responses Hi Eric, You don't have to duplicate

Re: [ossec-list] Active Responses

2010-04-26 Thread Daniel Cid
Hi Eric, You don't have to duplicate the scripts. Just add a new active-response section and give it a very high timeout and specify the rule id you want: active-response commandfirewall-drop/command locationlocal/location rules_id3302/rules_id timeout/timeout

[ossec-list] Active Responses

2010-04-23 Thread Eric Biondi
I would like to treat one Rule violation different from the rest. I'll duplicate the scripts for firewall drop under a different name and add commands in ossec.conf for the new script. Instead of Level 7 or above triggering the command, I'd like to have a specific postfix rule be the trigger.

[ossec-list] Active-Responses Perl

2007-09-03 Thread Dan
Hi Ossec List It is possible to execute a perl file within the active responses? Or are only bash scripts allowed? Thanks. Regards, Daniel