Yes I do. Restarting OSSEC: ossec-config(1303): ERROR: Invalid command 'firewall-drop' in the active response. ossec-config(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. ossec-analysisd(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.
# cat ar.conf restart-ossec0 - restart-ossec.sh - 0 restart-ossec0 - restart-ossec.cmd - 0 (and if I add 'firewall-drop600 - firewall-drop.sh - 600' in ar.conf, it is cleared and resets to the above after restart) # /var/ossec/bin/agent_control -L OSSEC HIDS agent_control. Available active responses: On Tuesday, December 29, 2015 at 1:18:05 PM UTC-5, dan (ddpbsd) wrote: > > On Tue, Dec 29, 2015 at 1:07 PM, Cal <[email protected] <javascript:>> > wrote: > > I'm on v.2.8.3 and trying to get active response configured for my OSSEC > > server. I get the error "ossec-config(1303): ERROR: Invalid command > > 'firewall-drop' in the active response" after restart. I checked the > > permission for ar.conf, which is chowned root/ossec. . I place > > "firewall-drop600 - firewall-drop.sh - 600" in ar.conf, however the file > is > > cleared after OSSEC restarts. Prior to restart, > /var/ossec/bin/agent_control > > -L shows the valid response options, but after restart nothing is > visible. > > > > Here's my ossec.conf, which I've tried several options from examples > online: > > > > <active-response> > > <disabled>no</disabled> > > <command>firewall-drop</command> > > <location>all</location> > > <rules_id>5712</rules_id> > > <timeout>600</timeout> > > </active-response> > > > > Any help appreciated! > > > > Do you have this in your ossec.conf: > <command> > <name>firewall-drop</name> > <executable>firewall-drop.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
