[ossec-list] Re: Firewall active response

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Dimitri,

A few things to check:

-Go to /var/ossec/logs/active-responses.log on the agent side and confirm that
the active response is not working. The timeout is specified to 10 minutes, so
after that time the IP will be unblocked. If there is entries in
there, it is because it is
working...

-If there is no entries in the above log file, run the active response
manually and see
if it works (agent side again):

# /var/ossec/active-response/bin/firewall-drop.sh add <user> <ip>


-Make sure there is no connection errors on ossec.log and that this agent id
is correct...

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

On 5/9/07, Dimitri Yioulos <dyioulos@xxxxxxxxxxxxx> wrote:
> Hi, folks.
>
> Even though I've been using O-H for w while now, I still think I have this
> screwed up:  I want to use the firewall active response.  However, it doesn't
> seem to be working.  My firewall is on a different box from O-H server.
> Here's the directive I have in my ossec.conf file:
>
>   <active-response>
>     <!-- Firewall Drop response. Block the IP for
>        - 600 seconds on the firewall (iptables,
>        - ipfilter, etc).
>       -->
>     <command>firewall-drop</command>
>     <location>defined-agent</location>
>     <agent_id>004</agent_id>
>     <level>6</level>
>     <timeout>600</timeout>
>   </active-response>
>
> Would someone be kind enough to give me a hand to make this work?
>
> Many thanks.
>
> Dimitri
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.