On Tue, Apr 17, 2012 at 3:59 PM, Qasim Ijaz <[email protected]> wrote:
> I am trying to troubleshoot why my computer is being put to hosts.deny list
> by OSSEC. When looking at OSSEC active-response.log I see:
>
> Tue April 17 15:52:19 EDT 2012
> /var/ossec/active-response/bin/firewall-drop.sh add - 192.168.48.163
> 1334692339.151650 31106
>
> How do I read this? What are those numbers after my IP address?
Timestamp and rule id. So you were added based on violating rule 31106:
<rule id="31106" level="6">
<if_sid>31103, 31104, 31105</if_sid>
<id>^200</id>
<description>A web attack returned code 200 (success).</description>
<group>attack,</group>
</rule>
