On Dec 12, 2012 5:48 AM, "C. L. Martinez" <carlopm...@gmail.com> wrote: > > On Wed, Dec 12, 2012 at 7:38 AM, dan (ddp) <ddp...@gmail.com> wrote: > > > > On Dec 12, 2012 2:36 AM, "C. L. Martinez" <carlopm...@gmail.com> wrote: > >> > >> On Tue, Dec 11, 2012 at 6:47 AM, C. L. Martinez <carlopm...@gmail.com> > >> wrote: > >> > On Mon, Dec 10, 2012 at 9:46 PM, Brenden Walker < bren...@unruleable.org> > >> > wrote: > >> >> On Mon, 10 Dec 2012 13:15:50 -0800 (PST) Guilmxm > >> >> <guilhem.march...@gmail.com> wrote: > >> >>> Hi, > >> >>> > >> >>> I had the same issue with Ossec 2.7 even with a server / agent fresh > >> >>> install, i confirm. > >> >>> > >> >>> Regards, > >> >>> > >> >>> Guilhem > >> >> > >> >> Weird, it's working fine in 2.7 for me. > >> >> > >> >> OSSEC HIDS agent_control. Available active responses: > >> >> > >> >> Response name: host-deny2400, command: host-deny.sh > >> >> Response name: firewall-drop600, command: firewall-drop.sh > >> >> > >> >> > >> >> and ossec.conf > >> >> > >> >> <active-response> > >> >> <!-- This response is going to execute the host-deny > >> >> - command for every event that fires a rule with > >> >> - level (severity) >= 6. > >> >> - The IP is going to be blocked for 600 seconds. > >> >> --> > >> >> <command>host-deny</command> > >> >> <location>local</location> > >> >> <level>6</level> > >> >> <timeout>2400</timeout> > >> >> </active-response> > >> >> > >> >> <active-response> > >> >> <!-- Firewall Drop response. Block the IP for > >> >> - 600 seconds on the firewall (iptables, > >> >> - ipfilter, etc). > >> >> --> > >> >> <command>firewall-drop</command> > >> >> <location>local</location> > >> >> <level>6</level> > >> >> <timeout>600</timeout> > >> >> </active-response> > >> >> > >> > > >> > Uhmm I have found another problem, well two problems: > >> > > >> > a) I have defined another active response: > >> > > >> > <command> > >> > <name>restart-ossec</name> > >> > <executable>restart-ossec.sh</executable> > >> > <expect></expect> > >> > </command> > >> > > >> > <active-response> > >> > <command>restart-ossec</command> > >> > <location>all</location> > >> > <rules_id>120000</rules_id> > >> > </active-response> > >> > > >> > ... and It doesn't appears: > >> > > >> > [root@ossectst etc]# agent_control -L > >> > > >> > OSSEC HIDS agent_control. Available active responses: > >> > > >> > Response name: firewall-drop86400, command: firewall-drop.sh > >> > > >> > b) active response firewall-drop.sh it doesn't works for a FreeBSD 8.3 > >> > system (using version 2.6 for server and agent works) > >> > > >> > Please, any idea?? > >> > >> Any idea please?? This problem is really strange .... > > > > Run it manually, how does it fail? Pleasse give us enough info to help, I'm > > not installing FreeBSD. > > Running manually works ok: > > /var/ossec/active-response/bin/firewall-drop.sh add - 10.1961.132 > 1355211271.2446 5706 > > but it doesn't works automatically ...
So I don't have to dig through the whining to find out: Did you check permissions? Perhaps of ar.conf? Anything useful in the ossec.log (why do I feel like I have to ask this)? Anything in the active response log? Are any active responses working? Is AR disabled?
