Hi Ken,
Ossec server sends the alerts immediately to the agents, so this hour delay should never happen (are the time in synchrony between them?). Other thing to keep in mind is that if you try to block the same IP twice, it will not block it two times, but just update the removal time to a later time (if the active response supports timeout)... *The server does not log the active responses, but we can add something like that for the next version (helpful during debugging). *If you can show us your active response logs and the alerts we can try to find any problem... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/31/06, Ken A <[EMAIL PROTECTED]> wrote:
I'm seeing an occasional attack 'missed' by active response for up to a couple hours, then a trigger of firewall-drop.sh on the client. The rules that match src_ip are being triggered, and I'm getting the alert emails. The active-response shows up in the ossec-hids-responses.log on the client, but very much too late. Does the server log the active response actions that it tries to carry out on clients? I'm trying to figure out if this is a network issue or if it's ossec-hids. Thanks, Ken A. Pacific.Net
