Please see below for the answers... On Thursday, March 13, 2014 1:30:37 PM UTC-5, dan (ddpbsd) wrote: > > On Thu, Mar 13, 2014 at 2:24 PM, Mike Wisniewski > <[email protected]<javascript:>> > wrote: > > Thanks for the quick response. Please see inline for naswers. > > > > On Thursday, March 13, 2014 12:57:34 PM UTC-5, dan (ddpbsd) wrote: > >> > >> On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski <[email protected]> > wrote: > >> [...] > >> > >> > >> Are you using active response? > > > > > > Yes, I am trying to use active response. I'm trying to get it to dump > IP's > > in /etc/hosts.deny. I am reading logs from another device in a > directory > > that doesn't support ossec. It's actually dumping the apache logs and > I'm > > trying to get it to add it to the hosts.deny on the server. > > > > Make sure AR isn't disabled. Make sure ossec-execd is running. Make > sure AR is configured for the server and not just the agents. > > I believe I enabled AR for the 'host-deny' command. Attached is my config file.
http://pastebin.com/PY8C10Uc ossec-execd is running as well. The alert shows up in the 'alerts.log' file as well, but doesn't add it to /etc/hosts.deny or the activeresponse.log. Here's a snip of an alert of me doing a vulnerability scan against that box. ** Alert 1394732302.250449: - apache,invalid_request, 2014 Mar 13 12:38:22 snoopy->/data/device-Logs/Apache/sys-error.log Rule: 30115 (level 5) -> 'Invalid URI (bad client request).' Src IP: 10.0.1.9 [Thu Mar 13 12:38:22 2014] [error] [client 10.0.1.9] Invalid URI in request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1 Thanks for your response and help. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
