Perhaps related to the Active Response bug mentioned in the comments here? https://web.archive.org/web/20150803131317/http://www.ossec.net/?p=1135
On Tue, Jun 14, 2016 at 9:09 AM, dan (ddp) <[email protected]> wrote: > On Tue, Jun 14, 2016 at 9:01 AM, Zeal Vora <[email protected]> wrote: >> I'm using the latest version of OSSEC ( 2.8 ) and yes active response is >> enabled. >> > > The latest version is 2.8.3. > >> So currently OSSEC clients are actively blocking attacks but due to some >> reason they have also flushed all the iptables rules from memory ( like >> iptables -F ) >> > > Are there any entries in the activeresponse log file that might shed a clue? > >> On Tuesday, June 14, 2016 at 6:24:52 PM UTC+5:30, dan (ddpbsd) wrote: >>> >>> On Tue, Jun 14, 2016 at 8:17 AM, Zeal Vora <[email protected]> wrote: >>> > Hi >>> > >>> > We installed OSSEC in our production machines yesterday and today we saw >>> > that all the iptables rules in all the machines were flushed. Something >>> > similar to iptables -F >>> > >>> > Any idea on what can cause this ? I am aware that OSSEC active-response >>> > can >>> > add or remove entries from iptables but have never knew about flushing >>> > entire iptables rules. >>> > >>> > Any help will be appreciated.! >>> > >>> >>> Which version of OSSEC? Is active response enabled? >>> >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- Doug Burks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
