Re: [ossec-list] A few comments on default active-response settings

2016-11-21 Thread dan (ddp)
On Fri, Nov 18, 2016 at 6:00 PM, Christina Plummer wrote: > My 2 cents: > > 1) I got tripped up by the fact that the default alert level to trigger an > active response is 6, while the default alert level to trigger an email is > 7. There were a number of times when

Re: [ossec-list] A few comments on default active-response settings

2016-11-21 Thread dan (ddp)
On Fri, Nov 18, 2016 at 10:06 AM, Whit Blauvelt wrote: > Hi Dan, > > Since I skipped answering this: > > On Mon, Nov 14, 2016 at 11:09:52AM -0500, dan (ddp) wrote: > >> > Except in a context of anon FTP servers (does anyone run those any more?) >> > blocking IPs because they

Re: [ossec-list] A few comments on default active-response settings

2016-11-18 Thread Christina Plummer
My 2 cents: 1) I got tripped up by the fact that the default alert level to trigger an active response is 6, while the default alert level to trigger an email is 7. There were a number of times when communication between 2 internal hosts on my network suddenly stopped working, then mysteriously

Re: [ossec-list] A few comments on default active-response settings

2016-11-18 Thread Whit Blauvelt
Hi Dan, Since I skipped answering this: On Mon, Nov 14, 2016 at 11:09:52AM -0500, dan (ddp) wrote: > > Except in a context of anon FTP servers (does anyone run those any more?) > > blocking IPs because they connect using valid logins "too often" is a > > dangerous default. "First, do no harm."

Re: [ossec-list] A few comments on default active-response settings

2016-11-14 Thread dan (ddp)
On Mon, Nov 14, 2016 at 10:51 AM, Whit Blauvelt wrote: > On Fri, Nov 11, 2016 at 07:10:51PM -0500, dan (ddp) wrote: >> On Nov 11, 2016 4:11 PM, "Whit Blauvelt" wrote: >> > >> > With a default agent installation of 2.9rc3 with active response included, >>

Re: [ossec-list] A few comments on default active-response settings

2016-11-14 Thread Whit Blauvelt
On Fri, Nov 11, 2016 at 07:10:51PM -0500, dan (ddp) wrote: > On Nov 11, 2016 4:11 PM, "Whit Blauvelt" wrote: > > > > With a default agent installation of 2.9rc3 with active response included, I > > was surprised by a few things: > > > > 1. Too frequent connections, even

Re: [ossec-list] A few comments on default active-response settings

2016-11-11 Thread dan (ddp)
On Nov 11, 2016 4:11 PM, "Whit Blauvelt" wrote: > > With a default agent installation of 2.9rc3 with active response included, I > was surprised by a few things: > > 1. Too frequent connections, even successful ones with valid logins, to an >ftp or sftp server are

[ossec-list] A few comments on default active-response settings

2016-11-11 Thread Whit Blauvelt
With a default agent installation of 2.9rc3 with active response included, I was surprised by a few things: 1. Too frequent connections, even successful ones with valid logins, to an ftp or sftp server are considered an attack and blocked for a time. This was unfortunate, since we use both