On Mon, Dec 10, 2012 at 9:46 PM, Brenden Walker <bren...@unruleable.org> wrote:
> On Mon, 10 Dec 2012 13:15:50 -0800 (PST) Guilmxm <guilhem.march...@gmail.com>
> wrote:
>> Hi,
>>
>> I had the same issue with Ossec 2.7 even with a server / agent fresh
>> install, i confirm.
>>
>> Regards,
>>
>> Guilhem
>
> Weird, it's working fine in 2.7 for me.
>
> OSSEC HIDS agent_control. Available active responses:
>
> Response name: host-deny2400, command: host-deny.sh
> Response name: firewall-drop600, command: firewall-drop.sh
>
>
> and ossec.conf
>
> <active-response>
> <!-- This response is going to execute the host-deny
> - command for every event that fires a rule with
> - level (severity) >= 6.
> - The IP is going to be blocked for 600 seconds.
> -->
> <command>host-deny</command>
> <location>local</location>
> <level>6</level>
> <timeout>2400</timeout>
> </active-response>
>
> <active-response>
> <!-- Firewall Drop response. Block the IP for
> - 600 seconds on the firewall (iptables,
> - ipfilter, etc).
> -->
> <command>firewall-drop</command>
> <location>local</location>
> <level>6</level>
> <timeout>600</timeout>
> </active-response>
>
Uhmm I have found another problem, well two problems:
a) I have defined another active response:
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<active-response>
<command>restart-ossec</command>
<location>all</location>
<rules_id>120000</rules_id>
</active-response>
... and It doesn't appears:
[root@ossectst etc]# agent_control -L
OSSEC HIDS agent_control. Available active responses:
Response name: firewall-drop86400, command: firewall-drop.sh
b) active response firewall-drop.sh it doesn't works for a FreeBSD 8.3
system (using version 2.6 for server and agent works)
Please, any idea??
