On Nov 11, 2016 4:11 PM, "Whit Blauvelt" <[email protected]> wrote: > > With a default agent installation of 2.9rc3 with active response included, I > was surprised by a few things: > > 1. Too frequent connections, even successful ones with valid logins, to an > ftp or sftp server are considered an attack and blocked for a time. This > was unfortunate, since we use both heavily in contexts where frequent > connections are how the systems exchange files. >
I think you're expected to tweak ossec to your usage. > 2. With iptables, OSSEC adds DROPs without having the LOGged. Yes, OSSEC > records adding its rule to its own log. But on systems where there are > already complex firewall rules, it's natural to see precisely what's > being dropped in the standard logs. It's fairly standard practice with > Netfilter to log what you drop. > Please submit a pull request. > 3. OSSEC emails notices about the alerts, but not about its active > responses. That seems an omission. > Configure ossec to watch the ar log file, then make sure there ia a rule to alert you to it doing things. Or create a rule. I can't remember if there is one by default or not. > It will be simple to fix the script to fix (2). Haven't quite sussed out > where the rules creating the problem for (1) are enabled -- any pointers on > finding those will be appreciated. As for (3), is that something > configurable within a stock installation, or will it require programming? > > Generally on (1), if someone has a valid login, it's just not going to be an > attack. For an ftp server accepting anonymous logins tracking frequence is > vital to defense, on the other hand. Having the default rule be to block > valid users for making "too much" use may not be ideal. > > On the whole, though, I've been highly impressed with the rest of the > default behaviors. > > Best, > Whit > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
