Yes. In the active-response I do see various entries of adding IP's to host-deny.sh
/var/ossec/active-response/bin/host-deny.sh delete - X.X.X.X 1465234313.25970854 5720. However I am not sure on what caused OSSEC to flush all the iptables rules. We installed it yesterday and in all the machines it flushed the iptables rules. On Tuesday, June 14, 2016 at 6:39:55 PM UTC+5:30, dan (ddpbsd) wrote: > > On Tue, Jun 14, 2016 at 9:01 AM, Zeal Vora <[email protected] > <javascript:>> wrote: > > I'm using the latest version of OSSEC ( 2.8 ) and yes active response is > > enabled. > > > > The latest version is 2.8.3. > > > So currently OSSEC clients are actively blocking attacks but due to some > > reason they have also flushed all the iptables rules from memory ( like > > iptables -F ) > > > > Are there any entries in the activeresponse log file that might shed a > clue? > > > On Tuesday, June 14, 2016 at 6:24:52 PM UTC+5:30, dan (ddpbsd) wrote: > >> > >> On Tue, Jun 14, 2016 at 8:17 AM, Zeal Vora <[email protected]> wrote: > >> > Hi > >> > > >> > We installed OSSEC in our production machines yesterday and today we > saw > >> > that all the iptables rules in all the machines were flushed. > Something > >> > similar to iptables -F > >> > > >> > Any idea on what can cause this ? I am aware that OSSEC > active-response > >> > can > >> > add or remove entries from iptables but have never knew about > flushing > >> > entire iptables rules. > >> > > >> > Any help will be appreciated.! > >> > > >> > >> Which version of OSSEC? Is active response enabled? > >> > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
