And thanks for your help! On Tuesday, December 29, 2015 at 5:57:16 PM UTC-5, Cal wrote: > > Yes, the script worked! Just fat fingered the tag. > > On Tuesday, December 29, 2015 at 5:25:20 PM UTC-5, dan (ddpbsd) wrote: >> >> >> On Dec 29, 2015 3:31 PM, "Cal" <[email protected]> wrote: >> > >> > Yes I do. >> > >> > Restarting OSSEC: >> > ossec-config(1303): ERROR: Invalid command 'firewall-drop' in the >> active response. >> > ossec-config(1202): ERROR: Configuration error at >> '/var/ossec/etc/ossec.conf'. Exiting. >> > ossec-analysisd(1202): ERROR: Configuration error at >> '/var/ossec/etc/ossec.conf'. Exiting. >> > >> > >> > # cat ar.conf >> > restart-ossec0 - restart-ossec.sh - 0 >> > restart-ossec0 - restart-ossec.cmd - 0 >> > (and if I add 'firewall-drop600 - firewall-drop.sh - 600' in ar.conf, >> it is cleared and resets to the above after restart) >> > >> >> Because you don't modify that file, ossec should fill it in. >> Since you said the command block I pasted is in your ossec.conf, can you >> make sure the script exists? Is it executable? >> >> > >> > # /var/ossec/bin/agent_control -L >> > OSSEC HIDS agent_control. Available active responses: >> > >> > On Tuesday, December 29, 2015 at 1:18:05 PM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Tue, Dec 29, 2015 at 1:07 PM, Cal <[email protected]> wrote: >> >> > I'm on v.2.8.3 and trying to get active response configured for my >> OSSEC >> >> > server. I get the error "ossec-config(1303): ERROR: Invalid command >> >> > 'firewall-drop' in the active response" after restart. I checked the >> >> > permission for ar.conf, which is chowned root/ossec. . I place >> >> > "firewall-drop600 - firewall-drop.sh - 600" in ar.conf, however the >> file is >> >> > cleared after OSSEC restarts. Prior to restart, >> /var/ossec/bin/agent_control >> >> > -L shows the valid response options, but after restart nothing is >> visible. >> >> > >> >> > Here's my ossec.conf, which I've tried several options from examples >> online: >> >> > >> >> > <active-response> >> >> > <disabled>no</disabled> >> >> > <command>firewall-drop</command> >> >> > <location>all</location> >> >> > <rules_id>5712</rules_id> >> >> > <timeout>600</timeout> >> >> > </active-response> >> >> > >> >> > Any help appreciated! >> >> > >> >> >> >> Do you have this in your ossec.conf: >> >> <command> >> >> <name>firewall-drop</name> >> >> <executable>firewall-drop.sh</executable> >> >> <expect>srcip</expect> >> >> <timeout_allowed>yes</timeout_allowed> >> >> </command> >> >> >> >> >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
