[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ossec-list] Active-response (again)
- Subject: [Ossec-list] Active-response (again)
- From: pedrodrimel at gmail.com (Pedro Drimel Neto)
- Date: Fri, 7 Apr 2006 10:20:44 -0300
Hi all,
I'm testing active-response and it's very great.
Firstly I configured my active-response of firewall as:
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>401</rules_id>
<timeout>600</timeout>
</active-response>
After edited ossec.conf I restarted ossec on server and on agent.. Does need
to restart? In both ?
Anyway, I missed the password connecting ssh on agent and it blocked my IP
192.168.0.47. OK!
agent:~# cat /tmp/ossec-hids-responses.log
Fri Apr 7 11:31:48 EDT 2006 /var/ossec/active-response/bin/firewall-drop.sh
add pedro 192.168.0.47
After that I edited ossec.conf again and changed rules_id for level 5
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>401</rules_id>
<timeout>600</timeout>
</active-response>
I restarted ossec on server and agent again and missed the password
connecting on ssh agent for another IP 192.168.0.49, it blocked, wonderful!
And after timeout the rule was deleted but the last rule of 192.168.0.47
wasn't deleted.
agent:~# cat /tmp/ossec-hids-responses.log
Fri Apr 7 11:31:48 EDT 2006 /var/ossec/active-response/bin/firewall-drop.sh
add pedro 192.168.0.47
Fri Apr 7 11:39:33 EDT 2006 /var/ossec/active-response/bin/firewall-drop.sh
add pedro 192.168.0.49
Fri Apr 7 11:50:03 EDT 2006 /var/ossec/active-response/bin/firewall-drop.sh
delete pedro 192.168.0.49
Was it because of restarted ossec on agent ?
Thanks a lot, again.
Pedro.
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.