Hi Andrew, Thanks for the report. I just fixed it in the following snapshot:
http://www.ossec.net/files/snapshots/ossec-hids-080524.tar.gz Please try it out to make sure it is still working (should be :) ) Thanks! -- Daniel B. Cid dcid ( at ) ossec.net On Thu, May 22, 2008 at 6:09 PM, Andrew Storms <[EMAIL PROTECTED]> wrote: > > Yes, sorry for the long subject line. > > I just noticed that the null-route script for active response (this is > version 1.4) specifies 0.0.0.0 for the IP when the OS is FreeBSD. > > This is a snippet from the script: > > if [ "X${UNAME}" = "XFreeBSD" ]; then > route -q add ${IP} 0.0.0.0 -blackhole > exit 0; > fi > > While this works, it also can cause the system to arp for 0.0.0.0, which in > turn can send out all kinds of fun broadcast traffic. My suggestion would > be to use localhost instead: > > if [ "X${UNAME}" = "XFreeBSD" ]; then > route -q add ${IP} 127.0.0.1 -blackhole > exit 0; > fi > > > >
