I can tell, host-deny.sh and firewall-drop.sh remain running about 30 secs before stop, alerts bigger than 6 with an srcip will trigger active-response, if your installation is generating a bunch of this alerts that's why maybe you have a bunch of process regarding to this scripts.
On Monday, February 8, 2016 at 12:33:11 PM UTC+1, Pedro S wrote: > > OFC it is not a solution, I thought you were not sure what active-response > is and you were complaining about those scripts. > > Regarding to your problem, I am not sure why this processes remain in > Zombie status, i think by default both script should execute, block the IP > and after 600 seconds execute again and unblock the IP. > > Check /var/ossec/logs/active-respones.log maybe we can find something > usefull there. > > > > On Monday, February 8, 2016 at 11:40:11 AM UTC+1, Giorgio Biondi wrote: >> >> Hi Pedro, >> >> of course using active response.. the solution can't be 'not using this >> feature'.. >> >> :-) >> >> >> >> 2016-02-08 11:36 GMT+01:00 Pedro S <[email protected]>: >> >>> Hi, >>> >>> Are you using active response? Those file are regarding to OSSEC >>> active-response, if you are not using it you can disable it editing >>> ossec.conf file: >>> >>> <active-response> >>> <disabled>yes</disabled> >>> </active-response> >>> >>> Best regards, >>> >>> Pedro S. >>> >>> On Friday, February 5, 2016 at 9:17:48 AM UTC+1, Giorgio Biondi wrote: >>>> >>>> Hi at all >>>> >>>> nobody have this behavior ? >>>> >>>> Good weekend >>>> >>>> Il giorno venerdì 22 gennaio 2016 11:57:46 UTC+1, Giorgio Biondi ha >>>> scritto: >>>>> >>>>> Hi, >>>>> >>>>> I have some linuxbox with ossec installed and work fine. >>>>> One of this have always some (or much more) process in status 'Z' >>>>> zombie >>>>> >>>>> See this: >>>>> >>>>> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME >>>>> COMMAND >>>>> root 25003 0.2 0.1 108212 1952 pts/0 S+ 11:53 0:00 watch >>>>> ps aux | grep Z >>>>> root 25416 0.0 0.0 0 0 ? Z 11:55 0:00 >>>>> [host-deny.sh] <defunct> >>>>> root 25417 0.0 0.0 0 0 ? Z 11:55 0:00 >>>>> [firewall-drop.s] <defunct> >>>>> root 25418 0.0 0.0 0 0 ? Z 11:55 0:00 >>>>> [host-deny.sh] <defunct> >>>>> root 25419 0.0 0.0 0 0 ? Z 11:55 0:00 >>>>> [firewall-drop.s] <defunct> >>>>> root 25482 0.0 0.0 106060 1248 pts/0 S+ 11:55 0:00 sh -c >>>>> ps aux | grep Z >>>>> root 25484 0.0 0.0 103256 860 pts/0 S+ 11:55 0:00 grep Z >>>>> >>>>> >>>>> This process regarding ossec system.. apart this ossec system work >>>>> fine.. or seems fine.. >>>>> >>>>> If stop service ossec I have a very huge load but this is a 'known >>>>> behaviur'. >>>>> >>>>> All the best. >>>>> >>>>> Giorgio Biondi. >>>>> >>>> -- >>> >>> --- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "ossec-list" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/ossec-list/DNaZYCCrapk/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
