[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ossec-list] Active response: Hosts left in hosts.deny?
- Subject: [Ossec-list] Active response: Hosts left in hosts.deny?
- From: kayvan at sylvan.com (Kayvan A. Sylvan)
- Date: Sat, 8 Apr 2006 23:17:51 -0700
I am running OSSEC on several hosts now.
On one of them, running Redhat Enterprise 3 (update 7), with
kernel 2.4.21-40, I am having hosts that are being added but never
taken off hosts.deny.
For example:
# grep 85.139.186.62 /tmp/ossec-hids-responses.log
Fri Apr 7 17:00:52 EDT 2006 /var/ossec/active-response/bin/host-deny.sh add null 85.139.186.62
Fri Apr 7 17:00:52 EDT 2006 /var/ossec/active-response/bin/firewall-drop.sh add null 85.139.186.62
Fri Apr 7 17:11:32 EDT 2006 /var/ossec/active-response/bin/host-deny.sh delete null 85.139.186.62
Fri Apr 7 17:11:32 EDT 2006 /var/ossec/active-response/bin/firewall-drop.sh delete null 85.139.186.62
However, the IP address is still in hosts.deny.
I don't understand the "null" in the above argument lists, either.
I'm pretty sure this is some kind of subtle bug, since it appears that the
intent is for the IPs to be temporarily blocked and then unblocked.
Can anyone help shed some light on this?
---Kayvan
--
Kayvan A. Sylvan | Proud husband of | Father to my kids:
Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.