James, please check the active-responses.log on the respective agent/device.
and you might want to consider upgrading to a new version, because maybe there was indeed a bug in active response that has been addressed and fixed with a more recent version. Current Stable Version is 2.8.3 but if you plan to upgrade I would go for 2.9 ( https://github.com/ossec/ossec-hids/releases/tag/v2.9.0beta06) as this will soon be the next official release. Am Donnerstag, 19. Mai 2016 18:37:06 UTC+2 schrieb James Siegel: > > Active response is acting up abnormally in 2.8.1 > > Active response is enabled. > Subnets are whitelisted in ossec.conf on the server. > The server and the agents have all been restarted over the past few months > during patching cycles. > > Last week my boss was locked out by active response while demonstrating > something during a webex/team call. > > Last night, the CEO was locked out of a different box. > > Both of their devices were in a whitelisted subnet range. > > In the case of my boss, he was logged in, and tried to su up to root and > that is when it happened. > > The CEO tried logging in to a box and was locked out. > > My boss has asked me to reach out and see if anyone else is having issues. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
