On Tuesday 19 September 2006 12:56, Rafael Capovilla wrote: Rafael, Ok .. so I am just changing the timeout from 600 to 300.
Ok cool but I would love to know what that is doing if this works thank you :-) Its the latest. "0.9-1a" I loaded this up yesterday. I will give this a try. It won't take long to trigger or not. Thanks!! > Try this on server conf: > > <active-response> > <!-- This response is going to execute the host-deny > - command for every event that fires a rule with > - level (severity) >= 6. > - The IP is going to be blocked for 600 seconds. > --> > <command>host-deny</command> > <location>local</location> > <level>6</level> > <timeout>300</timeout> > </active-response> > > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>local</location> > <level>6</level> > <timeout>300</timeout> > </active-response> > > And btw which version of ossec are you using? > > 2006/9/19, Francesca Smith <[EMAIL PROTECTED]>: > > On Tuesday 19 September 2006 12:42, Rafael Capovilla wrote: > > Hello, > > > > I am not being very clear here :-) > > > > I have a central Network Monitoring Station. It regularly polls all my > > servers > > worldwide to check on health. > > > > I added that NMS IP to my server node during installation as a > > whitelisted IP. > > > > Yet still agent node machines are auto blocking this IP still causing the > > NMS > > to of course to think they are off line. > > > > I have done all the usual stuff such as restarting ossec etc. > > > > Server node is a Freebsd 5.5 server and Agent nodes are Centos 4.4. > > > > > Why do you want white_list on agent side if it is controlled on server > > > side? Do you want to white_list some ips for just a few agents instead > > > > of > > > > > all? > > > > > > 2006/9/19, Francesca Smith <[EMAIL PROTECTED]>: > > > > On Tuesday 19 September 2006 12:27, Rafael Capovilla wrote: > > > > Hello, > > > > > > > > Thats exactly the issue. > > > > > > > > The IP is listed on the server but I am still getting blocks on agent > > > > nodes. > > > > > > > > > You dont need white_list on the agente side, the server controls > > > > > > > > everything > > > > > > > > > about active-responses. > > > > > > > > > > 2006/9/19, Francesca Smith <[EMAIL PROTECTED]>: > > > > > > On Tuesday 19 September 2006 07:28, Leonardo Goldim wrote: > > > > > > Leonardo, > > > > > > > > > > > > Attached .. > > > > > > > > > > > > Now I may have not been clear. The whitelist does work properly > > > > > > on the server .. But agent nodes I don't see a white list > > > > > > facility at all .. > > > > > > > > > > > > The ip is in this range where my "Chatty" NMS lives is below .. > > > > > > > > opennms > > > > > > > > > > is the > > > > > > software used. > > > > > > > > > > > > 207.210.240.0/24 > > > > > > > > > > > > > Hello Francesca, > > > > > > > > > > > > > > please send you ossec.conf for we can help you. > > > > > > > > > > > > -- > > > > > > Kindest Regards, > > > > > > > > > > > > Francesca Smith > > > > > > > > > > > > "No Problems Only Solutions" > > > > > > Lady Linux Internet Services > > > > > > Baltimore, Maryland 21217 > > > > > > > > -- > > > > Kindest Regards, > > > > > > > > Francesca Smith > > > > > > > > "No Problems Only Solutions" > > > > Lady Linux Internet Services > > > > Baltimore, Maryland 21217 > > > > -- > > Kindest Regards, > > > > Francesca Smith > > > > "No Problems Only Solutions" > > Lady Linux Internet Services > > Baltimore, Maryland 21217 -- Kindest Regards, Francesca Smith "No Problems Only Solutions" Lady Linux Internet Services Baltimore, Maryland 21217
