Hi Gareth,
OSSEC by default will remove the active response after 10 minutes, so if you take a while to look at them, they will not be there anymore. Fri May 11 03:55:44 SAST 2007 /var/ossec/active-response/bin/host-deny.sh add - 116.21.125.24 1178848544.10311 3104 Fri May 11 04:06:14 SAST 2007 /var/ossec/active-response/bin/host-deny.sh delete - 116.21.125.24 1178848544.10311 3104 See that we added at 03:55 and removed at 04:06... You can increase the timeout of them if you want... Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 5/10/07, Gareth Slaven <[EMAIL PROTECTED]> wrote:
Hi there … I have set up ossec with active response using firewall-drop.sh but I can't see deny rules being added to my iptables firewall rules here is the ossec log which says it's adding the rules but I can't see anywhere in my system where the ip is being denied … what am I missing ? /var/ossec/logs/active-responses.log Fri May 11 01:46:32 SAST 2007 /var/ossec/active-response/bin/host-deny.sh delete - 70.43.201.230 1178840162.4923 3104 Fri May 11 01:46:32 SAST 2007 /var/ossec/active-response/bin/firewall-drop.sh delete - 70.43.201.230 1178840162.4923 3104 Fri May 11 02:22:24 SAST 2007 /var/ossec/active-response/bin/host-deny.sh add - 59.39.99.84 1178842944.6383 3104 Fri May 11 02:22:24 SAST 2007 /var/ossec/active-response/bin/firewall-drop.sh add - 59.39.99.84 1178842944.6383 3104 Fri May 11 02:31:12 SAST 2007 /var/ossec/active-response/bin/firewall-drop.sh add - 221.221.173.175 1178843472.7158 3104 Fri May 11 02:31:12 SAST 2007 /var/ossec/active-response/bin/host-deny.sh add - 221.221.173.175 1178843472.7158 3104 Fri May 11 02:32:42 SAST 2007 /var/ossec/active-response/bin/host-deny.sh delete - 59.39.99.84 1178842944.6383 3104 Fri May 11 02:32:42 SAST 2007 /var/ossec/active-response/bin/firewall-drop.sh delete - 59.39.99.84 1178842944.6383 3104 Fri May 11 02:41:42 SAST 2007 /var/ossec/active-response/bin/host-deny.sh delete - 221.221.173.175 1178843472.7158 3104 Fri May 11 02:41:42 SAST 2007 /var/ossec/active-response/bin/firewall-drop.sh delete - 221.221.173.175 1178843472.7158 3104 Fri May 11 03:55:44 SAST 2007 /var/ossec/active-response/bin/firewall-drop.sh add - 116.21.125.24 1178848544.10311 3104 Fri May 11 03:55:44 SAST 2007 /var/ossec/active-response/bin/host-deny.sh add - 116.21.125.24 1178848544.10311 3104 Fri May 11 04:06:14 SAST 2007 /var/ossec/active-response/bin/host-deny.sh delete - 116.21.125.24 1178848544.10311 3104 Fri May 11 04:06:14 SAST 2007 /var/ossec/active-response/bin/firewall-drop.sh delete - 116.21.125.24 1178848544.10311 3104 Fri May 11 04:14:36 SAST 2007 /var/ossec/active-response/bin/firewall-drop.sh add - 196.211.168.210 1178849676.11462 3104 Fri May 11 04:14:36 SAST 2007 /var/ossec/active-response/bin/host-deny.sh add - 196.211.168.210 1178849676.11462 3104 --Gareth
