Dan, We have active response set to 1 hr, 1 day, 1 week, so assuming the IP is being blocked for one week and the iptables is reset in the middle of the week by the sysadmin, then the IP we thought was being blocked is actually not being blocked.
Here is a clearer explanation: Monday - block for IP 1.1.1.1 starts for one week Tuesday - sysadmin clears iptables (no more block for 1.1.1.1) ... - sysadmin has to wait until next monday before OSSEC will start blocking the desired IP again Monday - ossec clears block for 1.1.1.1 Gil Vidals On Tue, Aug 21, 2012 at 12:00 PM, dan (ddp) <[email protected]> wrote: > On Tue, Aug 21, 2012 at 2:50 PM, Gil Vidals <[email protected]> wrote: > > Dan, > > > > Can you tell me specifically what file to clear AND will this resolve the > > following condition: > > > > 1) active response drops an IP as planned > > 2) sysadmin restarts the firewall (which clears all the IP drop rules) > > 3) ossec believes the drop is still in place, but it isn't! > > > > Gil Vidals > > > > I don't understand the problem in the above scenario. What are you > trying to achieve specifically? > > Are you worried that the admin removed the block and OSSEC won't > re-block it until after it's remove the block? Don't remove the block > on the host. Or save the OSSEC blocked hosts and reload them when the > firewall is reloaded. I don't know where that info is kept on the > OSSEC server, possibly just in memory. > > > > > On Tue, Aug 21, 2012 at 10:50 AM, dan (ddp) <[email protected]> wrote: > >> > >> On Tue, Aug 21, 2012 at 1:37 PM, Gil Vidals <[email protected]> wrote: > >> > How can I clear the ossec db for the active responses? I'm not using > >> > mysql > >> > for ossec. I have installed whatever the default db is. > >> > > >> > I don't need to clear the sys checks; instead I want to clear the > active > >> > responses. Is there a way to do this? > >> > > >> > -- > >> > Gil Vidals > >> > > >> > CONFIDENTIALITY NOTICE: The information contained in this transmission > >> > may > >> > contain privileged and confidential information. It is intended only > >> > for > >> > the use of the person(s) named above. If you are not the intended > >> > recipient, please contact the sender by reply email and permanently > >> > delete > >> > the original message. > >> > > >> > >> By default OSSEC only logs to text files. I guess you could stop the > >> OSSEC processes, clear the file, and start OSSEC back up. > > > > > > > > > > -- > > Gil Vidals > > > > CONFIDENTIALITY NOTICE: The information contained in this transmission > may > > contain privileged and confidential information. It is intended only for > > the use of the person(s) named above. If you are not the intended > > recipient, please contact the sender by reply email and permanently > delete > > the original message. > > > -- Gil Vidals CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message.
