[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: Active response iptables
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: Active response iptables
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Fri, 11 May 2007 11:57:15 -0300
- Content-disposition: inline
- Content-transfer-encoding: quoted-printable
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=dczJvkP9oAcPJINUmMKr9RJmyoiTD3yTemIuwot7KrbLFz/1D9UvrAJRdaiGRmk2NWOQdO1PvaLZugCRM1sJ744MQK5P6UZ+EvPCr8BM22r3UE0cV5RpbQeNt+UKoVd2E+a4U14TasDbaFpSGcS7UTTQco+p4Ns594CUleTF45w=
Hi Gareth,
OSSEC by default will remove the active response after 10 minutes, so if you
take a while to look at them, they will not be there anymore.
Fri May 11 03:55:44 SAST 2007
/var/ossec/active-response/bin/host-deny.sh add - 116.21.125.24
1178848544.10311 3104
Fri May 11 04:06:14 SAST 2007
/var/ossec/active-response/bin/host-deny.sh delete - 116.21.125.24
1178848544.10311 3104
See that we added at 03:55 and removed at 04:06... You can increase the timeout
of them if you want...
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 5/10/07, Gareth Slaven <gareth.slaven@xxxxxxxxxxxx> wrote:
Hi there …
I have set up ossec with active response using firewall-drop.sh but I can't
see deny rules being added to my iptables firewall rules here is the ossec
log which says it's adding the rules but I can't see anywhere in my system
where the ip is being denied … what am I missing ?
/var/ossec/logs/active-responses.log
Fri May 11 01:46:32 SAST 2007
/var/ossec/active-response/bin/host-deny.sh delete -
70.43.201.230 1178840162.4923 3104
Fri May 11 01:46:32 SAST 2007
/var/ossec/active-response/bin/firewall-drop.sh delete -
70.43.201.230 1178840162.4923 3104
Fri May 11 02:22:24 SAST 2007
/var/ossec/active-response/bin/host-deny.sh add -
59.39.99.84 1178842944.6383 3104
Fri May 11 02:22:24 SAST 2007
/var/ossec/active-response/bin/firewall-drop.sh add -
59.39.99.84 1178842944.6383 3104
Fri May 11 02:31:12 SAST 2007
/var/ossec/active-response/bin/firewall-drop.sh add -
221.221.173.175 1178843472.7158 3104
Fri May 11 02:31:12 SAST 2007
/var/ossec/active-response/bin/host-deny.sh add -
221.221.173.175 1178843472.7158 3104
Fri May 11 02:32:42 SAST 2007
/var/ossec/active-response/bin/host-deny.sh delete -
59.39.99.84 1178842944.6383 3104
Fri May 11 02:32:42 SAST 2007
/var/ossec/active-response/bin/firewall-drop.sh delete -
59.39.99.84 1178842944.6383 3104
Fri May 11 02:41:42 SAST 2007
/var/ossec/active-response/bin/host-deny.sh delete -
221.221.173.175 1178843472.7158 3104
Fri May 11 02:41:42 SAST 2007
/var/ossec/active-response/bin/firewall-drop.sh delete -
221.221.173.175 1178843472.7158 3104
Fri May 11 03:55:44 SAST 2007
/var/ossec/active-response/bin/firewall-drop.sh add -
116.21.125.24 1178848544.10311 3104
Fri May 11 03:55:44 SAST 2007
/var/ossec/active-response/bin/host-deny.sh add -
116.21.125.24 1178848544.10311 3104
Fri May 11 04:06:14 SAST 2007
/var/ossec/active-response/bin/host-deny.sh delete -
116.21.125.24 1178848544.10311 3104
Fri May 11 04:06:14 SAST 2007
/var/ossec/active-response/bin/firewall-drop.sh delete -
116.21.125.24 1178848544.10311 3104
Fri May 11 04:14:36 SAST 2007
/var/ossec/active-response/bin/firewall-drop.sh add -
196.211.168.210 1178849676.11462 3104
Fri May 11 04:14:36 SAST 2007
/var/ossec/active-response/bin/host-deny.sh add -
196.211.168.210 1178849676.11462 3104
--Gareth
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.