you are drop ?
check ipables -vnL
and flush if needed
and whitelist your needed ip in ossec.conf (dns, gateway, etc...)
you can check activeresponse log
Le 2016-09-05 17:56, C. L. Martinez a écrit :
On Mon 5.Sep'16 at 8:59:41 +0200, [email protected] wrote:
hi
<agent_id>003,004</agent_id> doesn't work
but each section separetely is working
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>067</agent_id>
<timeout>864000</timeout>
<rules_id>117154,31510,117159,117162</rules_id>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>038</agent_id>
<timeout>864000</timeout>
<rules_id>117154,31510,117159,117162</rules_id>
</active-response>
be carefull with that case
https://github.com/ossec/ossec-hids/issues/701
if you have a lot of attacks the script can't be fast enough (i have
the
case with a chinese dns pointing one of our server by error)
cheers
Many thanks. That is what I am doing ... But until today, I didn't see
any problem, but this servers are not reachable from Internet...
--
Greetings,
C. L. Martinez
--
---
You received this message because you are subscribed to the Google
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
