On Tue, Aug 21, 2012 at 3:46 PM, Gil Vidals <[email protected]> wrote: > Dan, > > We have active response set to 1 hr, 1 day, 1 week, so assuming the IP is > being blocked for one week and the iptables is reset in the middle of the > week by the sysadmin, then the IP we thought was being blocked is actually > not being blocked. > > Here is a clearer explanation: > > Monday - block for IP 1.1.1.1 starts for one week > Tuesday - sysadmin clears iptables (no more block for 1.1.1.1) > ... - sysadmin has to wait until next monday before OSSEC will > start blocking the desired IP again > Monday - ossec clears block for 1.1.1.1 > >
Yeah, I don't know where this info is kept on the server. You could possibly try restarting the server processes to see if that helps. I feel like it would be easier to just not lose that information in the first place. > Gil Vidals > > > On Tue, Aug 21, 2012 at 12:00 PM, dan (ddp) <[email protected]> wrote: >> >> On Tue, Aug 21, 2012 at 2:50 PM, Gil Vidals <[email protected]> wrote: >> > Dan, >> > >> > Can you tell me specifically what file to clear AND will this resolve >> > the >> > following condition: >> > >> > 1) active response drops an IP as planned >> > 2) sysadmin restarts the firewall (which clears all the IP drop rules) >> > 3) ossec believes the drop is still in place, but it isn't! >> > >> > Gil Vidals >> > >> >> I don't understand the problem in the above scenario. What are you >> trying to achieve specifically? >> >> Are you worried that the admin removed the block and OSSEC won't >> re-block it until after it's remove the block? Don't remove the block >> on the host. Or save the OSSEC blocked hosts and reload them when the >> firewall is reloaded. I don't know where that info is kept on the >> OSSEC server, possibly just in memory. >> >> > >> > On Tue, Aug 21, 2012 at 10:50 AM, dan (ddp) <[email protected]> wrote: >> >> >> >> On Tue, Aug 21, 2012 at 1:37 PM, Gil Vidals <[email protected]> wrote: >> >> > How can I clear the ossec db for the active responses? I'm not using >> >> > mysql >> >> > for ossec. I have installed whatever the default db is. >> >> > >> >> > I don't need to clear the sys checks; instead I want to clear the >> >> > active >> >> > responses. Is there a way to do this? >> >> > >> >> > -- >> >> > Gil Vidals >> >> > >> >> > CONFIDENTIALITY NOTICE: The information contained in this >> >> > transmission >> >> > may >> >> > contain privileged and confidential information. It is intended only >> >> > for >> >> > the use of the person(s) named above. If you are not the intended >> >> > recipient, please contact the sender by reply email and permanently >> >> > delete >> >> > the original message. >> >> > >> >> >> >> By default OSSEC only logs to text files. I guess you could stop the >> >> OSSEC processes, clear the file, and start OSSEC back up. >> > >> > >> > >> > >> > -- >> > Gil Vidals >> > >> > CONFIDENTIALITY NOTICE: The information contained in this transmission >> > may >> > contain privileged and confidential information. It is intended only >> > for >> > the use of the person(s) named above. If you are not the intended >> > recipient, please contact the sender by reply email and permanently >> > delete >> > the original message. >> > > > > > > -- > Gil Vidals > > CONFIDENTIALITY NOTICE: The information contained in this transmission may > contain privileged and confidential information. It is intended only for > the use of the person(s) named above. If you are not the intended > recipient, please contact the sender by reply email and permanently delete > the original message. >
