On Fri, Nov 11, 2016 at 07:10:51PM -0500, dan (ddp) wrote: > On Nov 11, 2016 4:11 PM, "Whit Blauvelt" <[email protected]> wrote: > > > > With a default agent installation of 2.9rc3 with active response included, I > > was surprised by a few things: > > > > 1. Too frequent connections, even successful ones with valid logins, to an > > ftp or sftp server are considered an attack and blocked for a time. This > > was unfortunate, since we use both heavily in contexts where frequent > > connections are how the systems exchange files. > > I think you're expected to tweak ossec to your usage.
Certainly. But it's also a decent target to have the default installation not be something that will be dangerously broken unless carefully tweaked first -- especially without prominent warnings about the dangers involved. Except in a context of anon FTP servers (does anyone run those any more?) blocking IPs because they connect using valid logins "too often" is a dangerous default. "First, do no harm." > > 2. With iptables, OSSEC adds DROPs without having the LOGged. Yes, OSSEC > > records adding its rule to its own log. But on systems where there are > > already complex firewall rules, it's natural to see precisely what's > > being dropped in the standard logs. It's fairly standard practice with > > Netfilter to log what you drop. > > Please submit a pull request. Okay, once I work up the fix. > > 3. OSSEC emails notices about the alerts, but not about its active > > responses. That seems an omission. > > Configure ossec to watch the ar log file, then make sure there ia a rule to > alert you to it doing things. Or create a rule. I can't remember if there is > one by default or not. Thanks, I'll have to do that. For consistency, since ossec emails about everything else, wouldn't it be best if this was default behavior for ar too? Is this a project where constructive criticism is not desired? For some projects putting out a "release candidate" is an invitation to critique, so it can be better perfected. Best, Whit -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
