Since you mentioned phpmyadmin I'd guess maybe one of the SQL injection rules if phpmyadmin transfers certain requests as a GET (making it show up in the webserver logs).
On 11/10/2015 7:31 PM, frwa onto wrote:
Hi Santiago,This will just block the active response right. But in my case why is it that when I try to get huge data the active response comes into effect. I cant see which rule is fired to activate the active response? Is there any work around together with the active response being active?On Wed, Nov 11, 2015 at 2:04 AM, Santiago Bassett <[email protected] <mailto:[email protected]>> wrote:You can find info here: http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.active-response.html If unsure I suggest to disable it at /var/ossec/etc/ossec.conf <active-response> <disabled>yes</disabled> </active-response> On Tue, Nov 10, 2015 at 1:22 AM, frwa onto <[email protected] <mailto:[email protected]>> wrote: Hi Ryan, I am not too good in tuning up my active response or rules. Any tips on how to go about it? On Tue, Nov 10, 2015 at 1:17 PM, Ryan Schulze <[email protected] <mailto:[email protected]>> wrote: Sounds like you may want to look into fine tuning your active response and/or rules. On 11/9/2015 10:11 PM, frwa onto wrote:Hi Santiago, I am just running as standalone so its not a manager or agent. I have another machine for instance I am using the older ossec 2.7.1 in that one I have tried say I got my phpymadmin and when I start browsing huge data ossec will block me an only after some time I can login here is the active response log as below. Tue Nov 10 11:48:12 MYT 2015 /var/ossec/active-response/bin/firewall-drop.sh add - 10.212.134.200 1447127292.12356 31106 Tue Nov 10 11:48:12 MYT 2015 /var/ossec/active-response/bin/host-deny.sh add - 10.212.134.200 1447127292.12356 31106 Tue Nov 10 11:58:42 MYT 2015 /var/ossec/active-response/bin/host-deny.sh delete - 10.212.134.200 1447127292.12356 31106 Tue Nov 10 11:58:42 MYT 2015 /var/ossec/active-response/bin/firewall-drop.sh delete - 10.212.134.200 1447127292.12356 31106 I dont know what trigger is exactly but I know due to my browsing of huge data and also how to overcome this issue? In my older version I saw this error too ossec-execd: INFO: Active response command not present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this system. This is my worry on the new machine using 2.8.1 the app might get block from accessing the data. On Tuesday, November 10, 2015 at 9:18:45 AM UTC+8, Santiago Bassett wrote: Are you running an agent or the manager? I don't think OSSEC would block access to your mysql db. On Mon, Nov 9, 2015 at 8:19 AM, frwa onto <[email protected]> wrote: Hi, I have centos server. I have managed to install ossec 2.8.1. It mainly runs a socket programming app. For every instance of a connection it will receive data and insert into mysql db. What I worried in what scenario will it block the access to this local mysql db as I can see there some rules for mysql? Sorry very new to these.----- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.----- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout.----- You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/rdsEIi60ciM/unsubscribe. To unsubscribe from this group and all its topics, send an email to [email protected] <mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout.----- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout.----- You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/rdsEIi60ciM/unsubscribe. To unsubscribe from this group and all its topics, send an email to [email protected] <mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. -- ---You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]>.For more options, visit https://groups.google.com/d/optout.
----- You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
