On Tue, Apr 29, 2014 at 11:34 AM, Binet, Valere (NIH/NIA/IRP) [C] <[email protected]> wrote: > ossec and ossec-server were updated automatically as soon as I added the > atomic repo. > After that ossec wouldn't start and there was no message in ossec.log saying > why. > So I removed ossec and ossec-server. renamed /var/ossec and reinstalled them. > > Now I'm scrambling trying to find what to copy back from /var/ossec-old to > the new /var/ossec > What am I supposed to do with the files in queue/fts/ ? >
I've never had problems with upgrades (of course I don't use the atomic repos either). I'd copy the fts-queue file over. The other files are empty on my system, so I don't have any clues about those. > ________________________________________ > From: Binet, Valere (NIH/NIA/IRP) [C] > Sent: Tuesday, April 29, 2014 9:11 AM > To: [email protected] > Subject: RE: [ossec-list] whitelisted IP triggers auto-response > > Since I cannot find any documentation about incompatibilities or things (not) > to do when upgrading, I'll assume the process is straight forward and I'll > upgrade the OSSEC server using the AtomiCorp repository. > If I'm wrong I can rely on puppet and backups to go back, I guess. > If it goes well, the firewall will likely be the first agent I upgrade. > > ________________________________________ > From: dan (ddp) [[email protected]] > Sent: Tuesday, April 29, 2014 7:48 AM > To: [email protected] > Subject: Re: [ossec-list] whitelisted IP triggers auto-response > > On Mon, Apr 28, 2014 at 9:48 AM, Binet, Valere (NIH/NIA/IRP) [C] > <[email protected]> wrote: >> Hi, >> >> I'm having undesired auto-response triggering lately. >> We whitelist our internal IP range on the OSSEC server. One of our IPs is >> being a "bad boy" running a Nessus scanner and therefore triggering tons of >> OSSEC alerts. The problem is that the auto-response blocks that IP at the >> firewall even it is part of a whitelisted range. >> >> Config info : >> OSSEC version 2.6.1 > > Is there any chance you can test a recent version? > >> OSSEC server's ossec.conf (partial) >> >> <ossec_config> >> <global> >> <email_notification>yes</email_notification> >> ... >> <white_list>127.0.0.1</white_list> >> <white_list>137.187.160.0/22</white_list> >> <!-- ... other whitelists --> >> </global> >> ... >> <!-- Active Response Config --> >> <active-response> >> <!-- Firewall Drop response. Block the IP for >> - 600 seconds on the firewall (iptables, >> - ipfilter, etc). >> --> >> <command>firewall-drop</command> >> <location>defined-agent</location> >> <agent_id>401</agent_id> >> <rules_id>5712,5720,30109,31151,31152,31153,31154</rules_id> >> <timeout>600</timeout> >> <repeated_offenders>10,10,30,60</repeated_offenders> >> </active-response> >> ... >> </ossec_config> >> >> auto-response.log on the firewall (tail) >> >> Sun Apr 27 18:58:48 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh >> add - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398639528.265373436 5720 >> Sun Apr 27 19:09:19 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh >> delete - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398639528.265373436 >> 5720 >> Sun Apr 27 19:11:54 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh >> add - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398640314.267444639 5720 >> Sun Apr 27 19:22:39 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh >> delete - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398640314.267444639 >> 5720 >> Sun Apr 27 19:25:06 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh >> add - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398641106.269913714 5720 >> Sun Apr 27 19:35:37 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh >> delete - nessus.nia.nih.gov<http://nessus.nia.nih.gov> 1398641106.269913714 >> 5720 >> >> Logs on the server don't seem to show anything clearly linked to this issue. >> Searches on the user-list archives and on DuckDuckGo didn't help. >> >> I didn't choose to install the Nessus scanner and I'm not allowed to get rid >> of it. Other than that, every suggestion is welcomed. >> >> Thank you. >> >> Valère Binet [C] >> IT Security Administrator >> Kelly Government Solutions On-Site at the NIH >> NIH / NIA / IRP >> Tel : 410 558 8013 >> mailto: [email protected] >> >> >> NCTS performance comments and survey at: >> https://niairpkiosk.irp.nia.nih.gov/content/ncts-user-survey >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
