On Wed, Jan 10, 2018 at 6:15 AM, HairLoss2018 <[email protected]> wrote: > OK, I have resolved this issue by re-installing OSSEC and setting > active-response to live during setup. > > I notice that values entered during setup are added to ossec.mc and not > ossec.conf and in ossec.conf it says <!-- OSSEC example config --> > > Do I need to echo changes made in ossec.conf also in ossec.mc ?? >
I don't have an ossec.mc file in my installs, so I'm guessing no. > > On Tuesday, 9 January 2018 15:17:34 UTC, HairLoss2018 wrote: >> >> Hi, >> >> I have successfully installed OSSEC and am getting alerts. I installed it >> with active-response turned off. >> >> I have tried to turn it on by adding add <disabled>no</disabled> to the >> ossec.conf file. >> >> However, I can see no changes to my iptables or the /etc/hosts.deny file >> and I notice that when I check the status of ossec it tells me that >> ossec-execd is not running. >> >> I also cant find acitve-response.log anywhere. >> >> The relevant sections of my config file are listed below which follow the >> default settings. >> >> I would be very grateful if someone can suggest possible solutions to get >> active-response working. >> >> Thanks, >> Mark >> >> >> 82 <command> >> 83 <name>host-deny</name> >> 84 <executable>host-deny.sh</executable> >> 85 <expect>srcip</expect> >> 86 <timeout_allowed>yes</timeout_allowed> >> 87 </command> >> 88 >> 89 <command> >> 90 <name>firewall-drop</name> >> 91 <executable>firewall-drop.sh</executable> >> 92 <expect>srcip</expect> >> 93 <timeout_allowed>yes</timeout_allowed> >> 94 </command> >> 95 >> 96 <command> >> 97 <name>disable-account</name> >> 98 <executable>disable-account.sh</executable> >> 99 <expect>user</expect> >> 100 <timeout_allowed>yes</timeout_allowed> >> 101 </command> >> 102 >> 103 >> 104 <!-- Active Response Config --> >> 105 <active-response> >> 106 <!-- This response is going to execute the host-deny >> 107 - command for every event that fires a rule with >> 108 - level (severity) >= 6. >> 109 - The IP is going to be blocked for 600 seconds. >> 110 --> >> 111 <disabled>no</disabled> >> 112 <command>host-deny</command> >> 113 <location>local</location> >> 114 <level>6</level> >> 115 <timeout>600</timeout> >> 116 </active-response> >> 117 >> 118 <active-response> >> 119 <!-- Firewall Drop response. Block the IP for >> 120 - 600 seconds on the firewall (iptables, >> 121 - ipfilter, etc). >> 122 --> >> 123 <disabled>no</disabled> >> 124 <command>firewall-drop</command> >> 125 <location>local</location> >> 126 <level>6</level> >> 127 <timeout>600</timeout> >> 128 </active-response> >> 129 >> 130 <active-response> >> 131 <repeated_offenders>30,60,120</repeated_offenders> >> 132 </active-response> >> >> >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
