Hello! When ossec needs to block/deliver several IPs in the same time, I got many entries like below in active-response.log:
Tue Jul 14 10:41:07 CEST 2015 Unable to run (iptables returning != 2): 3 - /var/ossec/active-response/bin/firewall-drop.sh add - <IP> 1436863264.10444213 5551 Tue Jul 14 10:41:07 CEST 2015 Killed process 18927 holding lock. What I have noticed, is after each execution of firewall-drop.sh, I got a defunct process. Exemple: root 19208 21900 0 10:41 ? 00:00:00 [firewall-drop.s] <defunct> root 19238 21900 0 10:41 ? 00:00:00 [firewall-drop.s] <defunct> I think this is the cause of the error seen in active-response.log. Delete / add does not do the job in that case. I got the latest version of ossec (runnning on CentOS 6.4). Any idea? Thx in advance! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
