Thanks all for the help. I had another machine laying around, so I installed an 'agent' to the second machine. Once I did that and had it report to the server, everything started working fine and it inserts the blocks in my hosts.deny.
I don't know if it's a bug per se, but I believe that the active responses shouldn't make you install an agent if you just have a server running. Then again, if you are just using one machine, you should probably install 'local' anyways. Thanks for the responses and help! On Thursday, March 13, 2014 2:54:43 PM UTC-5, Mike Wisniewski wrote: > > Please see below for the answers... > > On Thursday, March 13, 2014 1:30:37 PM UTC-5, dan (ddpbsd) wrote: >> >> On Thu, Mar 13, 2014 at 2:24 PM, Mike Wisniewski <[email protected]> >> wrote: >> > Thanks for the quick response. Please see inline for naswers. >> > >> > On Thursday, March 13, 2014 12:57:34 PM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski <[email protected]> >> wrote: >> >> [...] >> >> >> >> >> >> Are you using active response? >> > >> > >> > Yes, I am trying to use active response. I'm trying to get it to dump >> IP's >> > in /etc/hosts.deny. I am reading logs from another device in a >> directory >> > that doesn't support ossec. It's actually dumping the apache logs and >> I'm >> > trying to get it to add it to the hosts.deny on the server. >> > >> >> Make sure AR isn't disabled. Make sure ossec-execd is running. Make >> sure AR is configured for the server and not just the agents. >> >> > I believe I enabled AR for the 'host-deny' command. Attached is my config > file. > > http://pastebin.com/PY8C10Uc > > ossec-execd is running as well. The alert shows up in the 'alerts.log' > file as well, but doesn't add it to /etc/hosts.deny or the > activeresponse.log. Here's a snip of an alert of me doing a vulnerability > scan against that box. > > ** Alert 1394732302.250449: - apache,invalid_request, > 2014 Mar 13 12:38:22 snoopy->/data/device-Logs/Apache/sys-error.log > Rule: 30115 (level 5) -> 'Invalid URI (bad client request).' > Src IP: 10.0.1.9 > [Thu Mar 13 12:38:22 2014] [error] [client 10.0.1.9] Invalid URI in > request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd > HTTP/1.1 > > > Thanks for your response and help. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
