With a default agent installation of 2.9rc3 with active response included, I was surprised by a few things:
1. Too frequent connections, even successful ones with valid logins, to an ftp or sftp server are considered an attack and blocked for a time. This was unfortunate, since we use both heavily in contexts where frequent connections are how the systems exchange files. 2. With iptables, OSSEC adds DROPs without having the LOGged. Yes, OSSEC records adding its rule to its own log. But on systems where there are already complex firewall rules, it's natural to see precisely what's being dropped in the standard logs. It's fairly standard practice with Netfilter to log what you drop. 3. OSSEC emails notices about the alerts, but not about its active responses. That seems an omission. It will be simple to fix the script to fix (2). Haven't quite sussed out where the rules creating the problem for (1) are enabled -- any pointers on finding those will be appreciated. As for (3), is that something configurable within a stock installation, or will it require programming? Generally on (1), if someone has a valid login, it's just not going to be an attack. For an ftp server accepting anonymous logins tracking frequence is vital to defense, on the other hand. Having the default rule be to block valid users for making "too much" use may not be ideal. On the whole, though, I've been highly impressed with the rest of the default behaviors. Best, Whit -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
