Dear all I have a strange OSSEC behaviour on an OpenSUSE Leap 15.1 x64 machine:
I configured active-response with firewall-drop. And I have seen, that iptables sometimes doesn't have any drop rules init, even if the active-response log should have added entries. I nailed the problem down to some strange error messages in the log: > Tue Jun 2 19:01:26 CEST 2020 Unable to run (iptables returning != 1): 1 - > /var/ossec/active-response/bin/firewall-drop.sh delete - 87.246.7.70 > So I tried to run the adding and removing of IP addresses manually with: > /var/ossec/active-response/bin/firewall-drop.sh add - 87.246.7.70 > /var/ossec/active-response/bin/firewall-drop.sh delete - 87.246.7.70 > For a few minutes it works when I repeat these steps. But then suddenly the behaviour changes. Strangely I get sometimes with the delete command these errors: > iptables: Bad rule (does a matching rule exist in that chain?). > Also sometimes the adding of an IP just hangs and never ends until I press Ctrl + C on the command line. How can I debug, why the firewall-drop.sh script is not working properly? It is very difficult to do so just with so few error messages giving no clue. Best regards Werner -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/a433d249-f122-4c66-adb4-1a50d3cbe56c%40googlegroups.com.
