Hi Francesca,
Can you show us the alert (or a few of them) that are causing the active response to be executed? Can you also show us a few entries from your active response log at /var/ossec/active-response/*.log (on the agent) ? Basically, the server compares the IP extracted from the log with the IP or network in the white list. If they match, the response is not executed at all. Maybe ossec is extracting something different than what we may be expecting (like a hostname). We some times have problems with that since ossec doesn't do a reverse lookup and it will attempt to block based on the hostname (and they never match with the white_list)... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/19/06, Francesca Smith <[EMAIL PROTECTED]> wrote:
On Tuesday 19 September 2006 07:28, Leonardo Goldim wrote: Leonardo, Attached .. Now I may have not been clear. The whitelist does work properly on the server .. But agent nodes I don't see a white list facility at all .. The ip is in this range where my "Chatty" NMS lives is below .. opennms is the software used. 207.210.240.0/24 > Hello Francesca, > > please send you ossec.conf for we can help you. -- Kindest Regards, Francesca Smith "No Problems Only Solutions" Lady Linux Internet Services Baltimore, Maryland 21217
