On Tue, Nov 26, 2013 at 1:12 PM, dan (ddp) <[email protected]> wrote: > On Mon, Nov 25, 2013 at 9:06 AM, C. L. Martinez <[email protected]> wrote: >> On Mon, Nov 25, 2013 at 2:02 PM, dan (ddp) <[email protected]> wrote: >>> On Mon, Nov 25, 2013 at 8:51 AM, C. L. Martinez <[email protected]> >>> wrote: >>>> On Mon, Nov 25, 2013 at 1:17 PM, dan (ddp) <[email protected]> wrote: >>>>> On Mon, Nov 25, 2013 at 6:36 AM, C. L. Martinez <[email protected]> >>>>> wrote: >>>>>> Hi all, >>>>>> >>>>>> Last week, I have updated 5 clients and one ossec server to release >>>>>> 2.7.1. My surprise is with restart-ossec active response: it doesn't >>>>>> works. >>>>>> >>>>>> My config (as appears in OSSEC docs) is: >>>>>> >>>>>> <command> >>>>>> <name>restart-ossec</name> >>>>>> <executable>restart-ossec.sh</executable> >>>>>> <expect></expect> >>>>>> </command> >>>>>> >>>>>> <active-response> >>>>>> <command>restart-ossec</command> >>>>>> <location>local</location> >>>>>> <rules_id>120000</rules_id> >>>>>> </active-response> >>>>>> >>>>>> and rule 120000: >>>>>> >>>>>> <rule id="120000" level="10"> >>>>>> <if_sid>550</if_sid> >>>>>> <match>/var/ossec/etc/shared/agent.conf</match> >>>>>> <description>Customized agent.conf has been modified.</description> >>>>>> </rule> >>>>>> >>>>>> but running agent_control -L: >>>>>> >>>>>> OSSEC HIDS agent_control. Available active responses: >>>>>> >>>>>> Response name: firewall-drop86400, command: firewall-drop.sh >>>>>> >>>>>> .. it doesn't appears ... Any idea why?? >>>>>> >>>>> >>>>> Is ossec-execd running? >>>>> >>>>>> -- >>>> >>>> Yes, in all components: agents and server ... >>>> >>> >>> Is 120000 firing properly? >>> >>>> -- >>>> >> >> Yes, according to my tests .... To be sure, I have added > > What tests are those? It's pretty simple to make sure. Change > /var/ossec/etc/shared/ > agent.conf and check alerts.log for the alert. > > Are other active responses working? > What does your /var/ossec/etc/shared/ar.conf look like? > Is the script executable (check permissions)? >
Yes, I have enabled firewwll-drop active response and it works without problems ... ar.conf: [root@ossec02 ~]# ls -la /var/ossec/etc/shared/ar.conf -r--r----- 1 root ossec 161 Nov 22 10:00 /var/ossec/etc/shared/ar.conf cat ar.conf: restart-ossec0 - restart-ossec.sh - 0 restart-ossec0 - restart-ossec.cmd - 0 firewall-drop86400 - firewall-drop.sh - 86400 restart-ossec0 - restart-ossec.sh - 0 restart-ossec.sh or ar.conf?? restart-ossec.sh is executable, ar.conf not ... (in server and in the agents) -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
