Hi Stephen, Please be sure that you enabled the active response on ossec-conf file. (Ref: http://www.ossec.net/en/manual.html#active-response-config).
then, please verify you have related entries in /var/ossec/active-response/ossec-hids-responses.log. For example I have the following line for an attacking IP; Mon Jul 17 21:34:54 EEST 2006 /var/ossec/active-response/bin/firewall-drop.sh add null 192.1681.4 Btw, to check wheter firewall-drop.sh works, you may execute the command above by hand. and see if it adds the ip to ipfilter. Regards, Ahmet Ozturk. Stephen Bunn wrote: > Hello all, > > I have setup ossec to add iptables rules when it detects a > scan/attack, but I don't think this is happening.. how can I verify that > this is occuring? > --~--~---------~--~----~------------~-------~--~----~ -~----------~----~----~----~------~----~------~--~---
