On Thu, Mar 13, 2014 at 4:49 PM, Mike Wisniewski <[email protected]> wrote: > > Thanks all for the help. I had another machine laying around, so I > installed an 'agent' to the second machine. Once I did that and had it > report to the server, everything started working fine and it inserts the > blocks in my hosts.deny. > > I don't know if it's a bug per se, but I believe that the active responses > shouldn't make you install an agent if you just have a server running. Then > again, if you are just using one machine, you should probably install > 'local' anyways. >
It's not a bug, you did the wrong installation. > > Thanks for the responses and help! > > > > > On Thursday, March 13, 2014 2:54:43 PM UTC-5, Mike Wisniewski wrote: >> >> Please see below for the answers... >> >> On Thursday, March 13, 2014 1:30:37 PM UTC-5, dan (ddpbsd) wrote: >>> >>> On Thu, Mar 13, 2014 at 2:24 PM, Mike Wisniewski <[email protected]> >>> wrote: >>> > Thanks for the quick response. Please see inline for naswers. >>> > >>> > On Thursday, March 13, 2014 12:57:34 PM UTC-5, dan (ddpbsd) wrote: >>> >> >>> >> On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski <[email protected]> >>> >> wrote: >>> >> [...] >>> >> >>> >> >>> >> Are you using active response? >>> > >>> > >>> > Yes, I am trying to use active response. I'm trying to get it to dump >>> > IP's >>> > in /etc/hosts.deny. I am reading logs from another device in a >>> > directory >>> > that doesn't support ossec. It's actually dumping the apache logs and >>> > I'm >>> > trying to get it to add it to the hosts.deny on the server. >>> > >>> >>> Make sure AR isn't disabled. Make sure ossec-execd is running. Make >>> sure AR is configured for the server and not just the agents. >>> >> >> I believe I enabled AR for the 'host-deny' command. Attached is my config >> file. >> >> http://pastebin.com/PY8C10Uc >> >> ossec-execd is running as well. The alert shows up in the 'alerts.log' >> file as well, but doesn't add it to /etc/hosts.deny or the >> activeresponse.log. Here's a snip of an alert of me doing a vulnerability >> scan against that box. >> >> ** Alert 1394732302.250449: - apache,invalid_request, >> 2014 Mar 13 12:38:22 snoopy->/data/device-Logs/Apache/sys-error.log >> Rule: 30115 (level 5) -> 'Invalid URI (bad client request).' >> Src IP: 10.0.1.9 >> [Thu Mar 13 12:38:22 2014] [error] [client 10.0.1.9] Invalid URI in >> request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd >> HTTP/1.1 >> >> >> Thanks for your response and help. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
