I have on my OSSEC 2.9.3. server in /var/ossec/etc/ossec.conf several
whitelisted IPs.
<ossec_config>
<global>
<white_list>172.21.21.35</white_list>
...
Yet on my clients, this IP will still get blocked at the firewall if an
active response is triggered from the host.
I have definitely restarted both server and client since the ossec.conf
change.
My active response log even shows the client blocking itself which I would
think should be automatically excluded.
I do not see this behavior on my older 2.7 install. I notice the
active-reponse.log has IPs on 2.7 but full FQDN hostnames in 2.9.3. Are we
supposed to use full hostnames for the white_list now? The documentation
still says IPs.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
