Hello,
I have active-response enabled in ossec.conf of the server as follows:
<active-response>
<command>firewall-drop</command>
<location>all</location>
<level>10</level>
<rules_id>31151,5712,104130</rules_id>
<timeout>600</timeout>
</active-response>
It is correctly blocking IPs with firewall-drop in response to rules
31151,5712, 104130 as configured above.
Problem:
I am *also* seeing IPs getting blocked with the firewall-drop on the
agents, when those IPs are only triggering 1003 rules (Rule: 1003 fired
(level 13) -> "Non standard syslog message (size too large).")
The IP is definitely not triggering any other rules - grepping for the IP
in /var/ossec/logs/alerts/alerts.log on the master, only shows 3 cases of
triggering 1003, and the IP is then blocked in
/var/ossec/logs/active-responses.log 2 seconds later, despite
active-response only being configured to respond to rules 31151,5712,104130
What am I missing? Is 1003 automatically blocked?
I am running OSSEC 2.7 on Ubuntu 12.04 LTS hosts, with one server and 7
agents. Let me know if you require any more information
Thanks for any help!
Mig
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
