Hello, Just bumping this issue. Does anyone know anything about this?
Thanks, Joel Oliveira Quarta-feira, 21 de Março de 2012 16h58min44s UTC, Joel Oliveira escreveu: > > Hello Daniel and all, > > I am using OSSEC 2.5.1 on different Linux environments for the past year > and half with OpenSIPs and Asterisk applications to ban SIP brute-forcing > attackers and of course it is doing its job very well. Thank you to all > people involved with the development of this software. > > So, for the past 2 days I've been in a battle with having a way to check > which IPs are blocked by OSSEC-Server in an agent. I know that if I look > into the active-responses.log I'll see what were the actions taken in a > certain agent ( add and delete from the Iptables ) and if I look on the > IPTables I'll be able to see the blocked IPs as well. But in an agent that > the IPtables are complex there is no way of making sure that I am looking > at OSSEC inserted rules. > > My theory is that the server or the agent knows the association between > the timeout, the blocked IP and the agent so that it can remove that > active-response ( rule on the IPTable ) just after the timeout occured. > Question is: where can I find that association, i.e where is the list of > the blocked IPs of an agent? > > I already looked into this list and the IRC channel and didn't find any > information regarding this which for me it's odd because it seems to me > that this should be a functionality asked by a lot of people. > > On the same page of this problem I would like to know if it's possible to > remove an IPTable rule without doing an "iptables -D" and without > restarting the agent. You see, if I remove a rule "by hand", and because I > am using timeouts of 24h, if the attacker tries again it'll send > email_alerts but it'll not apply the active-response. So, my other question > is: Is it possible to remove an active response before it's timeout where > the agent is aware of that? > > Thank you very much for your time. Best Regards, > Joel Oliveira >
