On Wed, Jul 11, 2012 at 9:59 PM, cosmaschi cristian <[email protected]> wrote: > my las Active responce log is from Mon Jun 4 21:23:43 EDT 2012 ups:| thas > bad > > attached are ossec.conf and asterisk rules > > Thanks >
So you have a very basic active response configuration. I think the host-deny entry will be triggered and the firewall-drop one will not. Try commenting out the host-deny entry, or check your hosts.deny file to see if that's getting the entries instead of iptables. > > > > On Wed, Jul 11, 2012 at 9:48 PM, dan (ddp) <[email protected]> wrote: >> >> >> On Jul 11, 2012 9:43 PM, "cosmaschi cristian" <[email protected]> >> wrote: >> > >> > i see that the rules are being processed , but when i check ip tables >> > to se if the host was blocked ... nothing... >> > >> > its used to work util 2 days ago... >> > >> >> What changed? What is your configuration? How did you check iptables? >> Anything in the active response log? Why didn't you include that info? >> >> > >> > Results: >> > Total alerts found: 424 >> > >> > >> > >> > Alert list >> > 2012 Jul 11 20:56:00 Rule Id: 6212 level: 10 >> > Location: (Hp22) 209.217.109.82->/var/log/messages >> > Src IP: 0:55:41 hp22 asterisk[11715]: NOTICE[11747]: chan_sip.c:24170 in >> > handle_request_register: Registration from '<sip:[email protected]:5060>' >> > failed for '99.251.108.141:5060' - No matching peer found >> > Login session failed (invalid extension). ** Alert 1342054561.21049945: >> > - syslog,asterisk, >> > >> >> It looks like you're using the broken web ui. Stop that. Either fix it or >> don't use it, and definitely give me an un-messed up alert. >> >> > >> > >> > On Wed, Jul 11, 2012 at 9:33 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> >> >> On Jul 11, 2012 9:31 PM, "cosmaschi cristian" >> >> <[email protected]> wrote: >> >> > >> >> > Hello , >> >> > >> >> > Im trying to debug on ossec , following >> >> > http://www.ossec.net/doc/faq/unexpected.html >> >> > >> >> > example If you have logs similar to the following in >> >> > /var/ossec/queue/ossec/queue: >> >> > >> >> > when i run >> >> > >> >> > tail -f /var/ossec/queue/ossec/queue >> >> > >> >> > >> >> >> >> That page does not tell you to do that. It probably wants you to tail >> >> the logfile: >> >> `tail -f /var/ossec/logs/ossec.log` >> >> >> >> > i get >> >> > >> >> > tail: cannot open `/var/ossec/queue/ossec/queue' for reading: No such >> >> > device or address >> >> > tail: no files remaining >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> > >> > > >
