OFC it is not a solution, I thought you were not sure what active-response is and you were complaining about those scripts.
Regarding to your problem, I am not sure why this processes remain in Zombie status, i think by default both script should execute, block the IP and after 600 seconds execute again and unblock the IP. Check /var/ossec/logs/active-respones.log maybe we can find something usefull there. On Monday, February 8, 2016 at 11:40:11 AM UTC+1, Giorgio Biondi wrote: > > Hi Pedro, > > of course using active response.. the solution can't be 'not using this > feature'.. > > :-) > > > > 2016-02-08 11:36 GMT+01:00 Pedro S <[email protected] <javascript:>>: > >> Hi, >> >> Are you using active response? Those file are regarding to OSSEC >> active-response, if you are not using it you can disable it editing >> ossec.conf file: >> >> <active-response> >> <disabled>yes</disabled> >> </active-response> >> >> Best regards, >> >> Pedro S. >> >> On Friday, February 5, 2016 at 9:17:48 AM UTC+1, Giorgio Biondi wrote: >>> >>> Hi at all >>> >>> nobody have this behavior ? >>> >>> Good weekend >>> >>> Il giorno venerdì 22 gennaio 2016 11:57:46 UTC+1, Giorgio Biondi ha >>> scritto: >>>> >>>> Hi, >>>> >>>> I have some linuxbox with ossec installed and work fine. >>>> One of this have always some (or much more) process in status 'Z' >>>> zombie >>>> >>>> See this: >>>> >>>> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND >>>> root 25003 0.2 0.1 108212 1952 pts/0 S+ 11:53 0:00 watch >>>> ps aux | grep Z >>>> root 25416 0.0 0.0 0 0 ? Z 11:55 0:00 >>>> [host-deny.sh] <defunct> >>>> root 25417 0.0 0.0 0 0 ? Z 11:55 0:00 >>>> [firewall-drop.s] <defunct> >>>> root 25418 0.0 0.0 0 0 ? Z 11:55 0:00 >>>> [host-deny.sh] <defunct> >>>> root 25419 0.0 0.0 0 0 ? Z 11:55 0:00 >>>> [firewall-drop.s] <defunct> >>>> root 25482 0.0 0.0 106060 1248 pts/0 S+ 11:55 0:00 sh -c >>>> ps aux | grep Z >>>> root 25484 0.0 0.0 103256 860 pts/0 S+ 11:55 0:00 grep Z >>>> >>>> >>>> This process regarding ossec system.. apart this ossec system work >>>> fine.. or seems fine.. >>>> >>>> If stop service ossec I have a very huge load but this is a 'known >>>> behaviur'. >>>> >>>> All the best. >>>> >>>> Giorgio Biondi. >>>> >>> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/DNaZYCCrapk/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
