I have some agents that I installed (ver 1.3) on Red Hat Linux. I
installed with active response disabled. In the ossec.conf I have the
entries:
<active-response>
<disabled>yes</disabled>
</active-response>
I start the agents and certain types of activity cause the active
response to fire. (false positives) Here is some entries in the
active-responses.log:
Tue Aug 21 13:23:57 CDT 2007
/var/ossec/active-response/bin/firewall-drop.sh add - xx.xx.1.180
1187724114.275471 20100
Tue Aug 21 13:25:46 CDT 2007
/var/ossec/active-response/bin/firewall-drop.sh add - xx.xx.1.177
1187724222.472389 20101
Tue Aug 21 13:25:48 CDT 2007
/var/ossec/active-response/bin/firewall-drop.sh add - 64.73.46.137
1187724224.472771 20101
Tue Aug 21 13:27:46 CDT 2007
/var/ossec/active-response/bin/firewall-drop.sh add - 69.66.62.2
1187724342.474372 20100
Tue Aug 21 13:32:04 CDT 2007
/var/ossec/active-response/bin/firewall-drop.sh add - 63.103.212.185
1187724600.478238 20101
Tue Aug 21 13:33:34 CDT 2007
/var/ossec/active-response/bin/firewall-drop.sh delete - xx.xx.1.7
1187723788.271250 20101
Tue Aug 21 13:36:02 CDT 2007
/var/ossec/active-response/bin/firewall-drop.sh delete - xx.xx.1.180
1187724114.275471 20100
Am I misinterpreting the entry in ossec.conf?
--
Stephen Williamson
Secured Technology LLC
Phone: 913.219.6142
Office:913.236.4288
email:[EMAIL PROTECTED]
