Thanks for the feedback. I double checked my <command><name>firewall-drop.... line and found a typo in the tag. Thanks!
On Tuesday, December 29, 2015 at 1:18:05 PM UTC-5, dan (ddpbsd) wrote: > > On Tue, Dec 29, 2015 at 1:07 PM, Cal <[email protected] <javascript:>> > wrote: > > I'm on v.2.8.3 and trying to get active response configured for my OSSEC > > server. I get the error "ossec-config(1303): ERROR: Invalid command > > 'firewall-drop' in the active response" after restart. I checked the > > permission for ar.conf, which is chowned root/ossec. . I place > > "firewall-drop600 - firewall-drop.sh - 600" in ar.conf, however the file > is > > cleared after OSSEC restarts. Prior to restart, > /var/ossec/bin/agent_control > > -L shows the valid response options, but after restart nothing is > visible. > > > > Here's my ossec.conf, which I've tried several options from examples > online: > > > > <active-response> > > <disabled>no</disabled> > > <command>firewall-drop</command> > > <location>all</location> > > <rules_id>5712</rules_id> > > <timeout>600</timeout> > > </active-response> > > > > Any help appreciated! > > > > Do you have this in your ossec.conf: > <command> > <name>firewall-drop</name> > <executable>firewall-drop.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
