Hi,
Having fiddled perhaps a bit too much with the setup of OSSEC, my active
responses on my server stopped working last night, and I'm unable to
pinpoint the problem.I unfortunately, even with debug enabled, see any
errors in ossec.log, and I'm quite unsure how to go about debugging this.
If
On Thu, Nov 26, 2015 at 6:44 PM, Graeme Coates
wrote:
> Hi,
>
> Am running OSSEC 2.8.3-3jessie (from the alientvault.com repo)
>
> I'm trying to test active-response rules for a Wordpress install -
> specifically to add source IPs as DROP rules in iptables where they
Hi,
Am running OSSEC 2.8.3-3jessie (from the alientvault.com repo)
I'm trying to test active-response rules for a Wordpress install -
specifically to add source IPs as DROP rules in iptables where they have
multiple authentication issues, or where they are trying to brute force via
XMLRPC
I've been watching active responses lately and it seems like they dont
always generate an active response. I have the settings properly but I
would say the actual active response triggers about 25% of the time. I say
that because the alerts.log (and respective emails in my inbox) indicate
the
* BP9906 crazi...@gmail.com [2014-05-30 14:42:09 -0700]:
I've been watching active responses lately and it seems like they dont
always generate an active response. I have the settings properly but I
would say the actual active response triggers about 25% of the time. I say
that because the
Today my campus' vulnerability scanner was blocked by OSSEC. That I
expected, but what I didn't expect was there to be no log entries of
WHAT triggered the active response. My config for host-deny and
firewall-drop is set to level 6, yet I can't find in any logs what
event triggered the active
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 06/09/2011 12:54 AM, treydock wrote:
Looking at Rule #5706 this is Level 6 so it correctly triggered an
active response. However I'm concerned as to why OSSEC didn't log an
alert or anything besides the active-response.
What more are you
On Thu, Jun 9, 2011 at 12:54 AM, treydock treyd...@gmail.com wrote:
Today my campus' vulnerability scanner was blocked by OSSEC. That I
expected, but what I didn't expect was there to be no log entries of
WHAT triggered the active response. My config for host-deny and
firewall-drop is set to
Hello,
We have our active responses set to time out af 86,400 seconds (24
hours). However, I notice that they are timing out after only 20
hours.
Can OSSEC only handle a fixed number of current active responses at
one time so that it immediately expires current active responses in
order to make
Hi Daniel,
Thank you, I was able to get that working.
Eric
- Original Message -
From: Daniel Cid daniel@gmail.com
To: ossec-list@googlegroups.com
Sent: Monday, April 26, 2010 10:12:52 AM
Subject: Re: [ossec-list] Active Responses
Hi Eric,
You don't have to duplicate
Hi Eric,
You don't have to duplicate the scripts. Just add a new
active-response section and give it a very
high timeout and specify the rule id you want:
active-response
commandfirewall-drop/command
locationlocal/location
rules_id3302/rules_id
timeout/timeout
I would like to treat one Rule violation different from the rest. I'll
duplicate the scripts for firewall drop under a different name and add
commands in ossec.conf for the new script.
Instead of Level 7 or above triggering the command, I'd like to have a
specific postfix rule be the trigger.
Hi Ossec List
It is possible to execute a perl file within the active responses? Or
are only bash scripts allowed?
Thanks.
Regards,
Daniel
13 matches
Mail list logo