Hi Stephen, It is actually a bug in ossec. You need to set it to: (note the underline instead of a dash)
<active_response> <disabled>yes</disabled> </active_response> Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/21/07, Stephen Williamson <[EMAIL PROTECTED]> wrote: > > I have some agents that I installed (ver 1.3) on Red Hat Linux. I > installed with active response disabled. In the ossec.conf I have the > entries: > > <active-response> > <disabled>yes</disabled> > </active-response> > > I start the agents and certain types of activity cause the active > response to fire. (false positives) Here is some entries in the > active-responses.log: > > Tue Aug 21 13:23:57 CDT 2007 > /var/ossec/active-response/bin/firewall-drop.sh add - xx.xx.1.180 > 1187724114.275471 20100 > Tue Aug 21 13:25:46 CDT 2007 > /var/ossec/active-response/bin/firewall-drop.sh add - xx.xx.1.177 > 1187724222.472389 20101 > Tue Aug 21 13:25:48 CDT 2007 > /var/ossec/active-response/bin/firewall-drop.sh add - 64.73.46.137 > 1187724224.472771 20101 > Tue Aug 21 13:27:46 CDT 2007 > /var/ossec/active-response/bin/firewall-drop.sh add - 69.66.62.2 > 1187724342.474372 20100 > Tue Aug 21 13:32:04 CDT 2007 > /var/ossec/active-response/bin/firewall-drop.sh add - 63.103.212.185 > 1187724600.478238 20101 > Tue Aug 21 13:33:34 CDT 2007 > /var/ossec/active-response/bin/firewall-drop.sh delete - xx.xx.1.7 > 1187723788.271250 20101 > Tue Aug 21 13:36:02 CDT 2007 > /var/ossec/active-response/bin/firewall-drop.sh delete - xx.xx.1.180 > 1187724114.275471 20100 > > Am I misinterpreting the entry in ossec.conf? > > -- > > Stephen Williamson > Secured Technology LLC > Phone: 913.219.6142 > Office:913.236.4288 > email:[EMAIL PROTECTED] > >
