On Mon, 2006-07-17 at 21:45 +0300, oahmet wrote: > Hi Stephen, > > Please be sure that you enabled the active response on ossec-conf > file. (Ref: http://www.ossec.net/en/manual.html#active-response-config). > > then, please verify you have related entries in > /var/ossec/active-response/ossec-hids-responses.log. > For example I have the following line for an attacking IP; > > > Mon Jul 17 21:34:54 EEST 2006 > /var/ossec/active-response/bin/firewall-drop.sh add null 192.1681.4 > > Btw, to check wheter firewall-drop.sh works, you may execute the > command above by hand. and see if it adds the ip to ipfilter. > > Regards, > > Ahmet Ozturk. > ------~----~----~----~------~----~------~--~--- Thanks for the response. Yes, I found the logs yesterday. I wasn't paying attention when I installed as to were the logs were being kept, but I have verified that active-response is working.. kind of funny actually because I locked my self out of my machine while I was still looking for the logs when I ran a scan against my machine.. :)
--~--~---------~--~----~------------~-------~--~----~ -~----------~----~----~----~------~----~------~--~---
