On Dec 29, 2015 3:31 PM, "Cal" <[email protected]> wrote: > > Yes I do. > > Restarting OSSEC: > ossec-config(1303): ERROR: Invalid command 'firewall-drop' in the active response. > ossec-config(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. > ossec-analysisd(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. > > > # cat ar.conf > restart-ossec0 - restart-ossec.sh - 0 > restart-ossec0 - restart-ossec.cmd - 0 > (and if I add 'firewall-drop600 - firewall-drop.sh - 600' in ar.conf, it is cleared and resets to the above after restart) >
Because you don't modify that file, ossec should fill it in. Since you said the command block I pasted is in your ossec.conf, can you make sure the script exists? Is it executable? > > # /var/ossec/bin/agent_control -L > OSSEC HIDS agent_control. Available active responses: > > On Tuesday, December 29, 2015 at 1:18:05 PM UTC-5, dan (ddpbsd) wrote: >> >> On Tue, Dec 29, 2015 at 1:07 PM, Cal <[email protected]> wrote: >> > I'm on v.2.8.3 and trying to get active response configured for my OSSEC >> > server. I get the error "ossec-config(1303): ERROR: Invalid command >> > 'firewall-drop' in the active response" after restart. I checked the >> > permission for ar.conf, which is chowned root/ossec. . I place >> > "firewall-drop600 - firewall-drop.sh - 600" in ar.conf, however the file is >> > cleared after OSSEC restarts. Prior to restart, /var/ossec/bin/agent_control >> > -L shows the valid response options, but after restart nothing is visible. >> > >> > Here's my ossec.conf, which I've tried several options from examples online: >> > >> > <active-response> >> > <disabled>no</disabled> >> > <command>firewall-drop</command> >> > <location>all</location> >> > <rules_id>5712</rules_id> >> > <timeout>600</timeout> >> > </active-response> >> > >> > Any help appreciated! >> > >> >> Do you have this in your ossec.conf: >> <command> >> <name>firewall-drop</name> >> <executable>firewall-drop.sh</executable> >> <expect>srcip</expect> >> <timeout_allowed>yes</timeout_allowed> >> </command> >> >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
