Just a reminder that ossec by default only blocks for 10 minutes. So, if you look later, you will not see the ip address in the iptables list.
-- Daniel B. Cid dcid ( at ) ossec.net On 7/17/06, oahmet <[EMAIL PROTECTED]> wrote: > > Hi Stephen, > > Please be sure that you enabled the active response on ossec-conf > file. (Ref: http://www.ossec.net/en/manual.html#active-response-config). > > then, please verify you have related entries in > /var/ossec/active-response/ossec-hids-responses.log. > For example I have the following line for an attacking IP; > > > Mon Jul 17 21:34:54 EEST 2006 > /var/ossec/active-response/bin/firewall-drop.sh add null 192.1681.4 > > Btw, to check wheter firewall-drop.sh works, you may execute the > command above by hand. and see if it adds the ip to ipfilter. > > Regards, > > Ahmet Ozturk. > > > > Stephen Bunn wrote: > > Hello all, > > > > I have setup ossec to add iptables rules when it detects a > > scan/attack, but I don't think this is happening.. how can I verify that > > this is occuring? > > > > > > --~--~---------~--~----~------------~-------~--~----~ -~----------~----~----~----~------~----~------~--~---
