Thanks for your input BP9906. It seems to me that OSSEC works this way as design, but I would like if someone could please explain to me why isn't so simple to check a list of blocked-IPs. In my opinion this would be a feature-request asked by a lot of users but instead I can't find anywhere other people asking for this.
So I would be very grateful if someone would explain to me why maybe my request is so strange. Thank you very much for your time, Joel Oliveira Segunda-feira, 9 de Abril de 2012 18:52:59 UTC+1, BP9906 escreveu: > > I think the answer is no. When I use null route to block an IP for a given > agent, if I manually remove that null route for an IP (i dont know if the > null route was there previous to ossec agent null routing it), then the > agent wont re-null route the IP until the timeout has happened or I restart > the agent. Perhaps the answer for you is to use a block mechanism that is > unique to ossec agent and not anything else. > > Sorry I couldnt help more. > > > On Thursday, April 5, 2012 8:08:15 AM UTC-7, Joel Oliveira wrote: >> >> Hello, >> >> Just bumping this issue. Does anyone know anything about this? >> >> Thanks, >> Joel Oliveira >> >> Quarta-feira, 21 de Março de 2012 16h58min44s UTC, Joel Oliveira escreveu: >>> >>> Hello Daniel and all, >>> >>> I am using OSSEC 2.5.1 on different Linux environments for the past year >>> and half with OpenSIPs and Asterisk applications to ban SIP brute-forcing >>> attackers and of course it is doing its job very well. Thank you to all >>> people involved with the development of this software. >>> >>> So, for the past 2 days I've been in a battle with having a way to check >>> which IPs are blocked by OSSEC-Server in an agent. I know that if I look >>> into the active-responses.log I'll see what were the actions taken in a >>> certain agent ( add and delete from the Iptables ) and if I look on the >>> IPTables I'll be able to see the blocked IPs as well. But in an agent that >>> the IPtables are complex there is no way of making sure that I am looking >>> at OSSEC inserted rules. >>> >>> My theory is that the server or the agent knows the association between >>> the timeout, the blocked IP and the agent so that it can remove that >>> active-response ( rule on the IPTable ) just after the timeout occured. >>> Question is: where can I find that association, i.e where is the list of >>> the blocked IPs of an agent? >>> >>> I already looked into this list and the IRC channel and didn't find any >>> information regarding this which for me it's odd because it seems to me >>> that this should be a functionality asked by a lot of people. >>> >>> On the same page of this problem I would like to know if it's possible >>> to remove an IPTable rule without doing an "iptables -D" and without >>> restarting the agent. You see, if I remove a rule "by hand", and because I >>> am using timeouts of 24h, if the attacker tries again it'll send >>> email_alerts but it'll not apply the active-response. So, my other question >>> is: Is it possible to remove an active response before it's timeout where >>> the agent is aware of that? >>> >>> Thank you very much for your time. Best Regards, >>> Joel Oliveira >>> >>
