Hi Kivanio, I need the output from the command as I said:
# /bin/sh -x /var/ossec/active-response/bin/firewall-drop.sh add XXX 192.168.2.1 This will give me debug information from the script and not from your terminal. I also tried it on FreeBSD and worked fine... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Wed, Apr 23, 2008 at 5:09 PM, Kivanio Barbosa <[EMAIL PROTECTED]> wrote: > Daniel, > > i forgot to say ossec is 1.5 beta, but the same happend with 1.4. > > > > On Wed, Apr 23, 2008 at 4:00 PM, Kivanio Barbosa <[EMAIL PROTECTED]> wrote: > > > Daniel, > > > > > > I wrote in first mail that i did it. > > > > > > so, I make all again, see: > > > > > > My SO is FREEBSD 7.0, not OpenBSD, OK? > > > > > > FreeBSD server.org.br 7.0-RELEASE FreeBSD 7.0-RELEASE #8: Thu Mar 20 > 12:06:04 AMT 2008 [EMAIL PROTECTED]:/usr/src/sys/i386/compile/server > i386 > > > > > > > > > > > > > > server joao /usr/home/joao # /bin/csh -x (I use csh instead of sh) > > You have mail. > > > > > > server joao /usr/local/ossec # cd logs/ > > chdir logs/ > > set prompt=`hostname -s` joao `pwd` # > > hostname -s > > pwd > > > > > > LAST LOGS: > > > > > > server joao /usr/local/ossec/logs # tail -f active-responses.log > > tail -f active-responses.log > > Wed Apr 23 15:34:08 AMT 2008 > /usr/local/ossec/active-response/bin/host-deny.sh delete - 200.154.55.4 > 1208978646.1095546 20101 > > Wed Apr 23 15:34:08 AMT 2008 > /usr/local/ossec/active-response/bin/host-deny.sh delete - 64.15.125.220 > 1208978568.1092931 20101 > > Wed Apr 23 15:34:09 AMT 2008 > /usr/local/ossec/active-response/bin/firewall-drop.sh delete - 200.154.55.4 > 1208978646.1095546 20101 > > Wed Apr 23 15:34:09 AMT 2008 > /usr/local/ossec/active-response/bin/firewall-drop.sh delete - 64.15.125.220 > 1208978568.1092931 20101 > > Wed Apr 23 15:34:24 AMT 2008 > /usr/local/ossec/active-response/bin/host-deny.sh add - 64.15.120.163 > 1208979264.1112819 20101 > > Wed Apr 23 15:34:24 AMT 2008 > /usr/local/ossec/active-response/bin/firewall-drop.sh add - 64.15.120.163 > 1208979264.1112819 20101 > > Wed Apr 23 15:37:14 AMT 2008 > /usr/local/ossec/active-response/bin/host-deny.sh delete - 64.15.125.226 > 1208978772.1096671 20101 > > Wed Apr 23 15:37:14 AMT 2008 > /usr/local/ossec/active-response/bin/firewall-drop.sh delete - 64.15.125.226 > 1208978772.1096671 20101 > > Wed Apr 23 15:37:36 AMT 2008 > /usr/local/ossec/active-response/bin/host-deny.sh add - 64.15.117.210 > 1208979456.1117309 20101 > > Wed Apr 23 15:37:36 AMT 2008 > /usr/local/ossec/active-response/bin/firewall-drop.sh add - 64.15.117.210 > 1208979456.1117309 20101 > > > > > > > > > > TABLE CLEAR: > > > > > > server joao /usr/local/ossec/logs # pfctl -t ossec_fwtable -T show > > > > pfctl -t ossec_fwtable -T show > > > > > > > > > > I TRY USE MANUALLY: > > > > > > server joao /usr/local/ossec/logs # > /usr/local/ossec/active-response/bin/firewall-drop.sh add - 200.221.7.40 > 1208979566.1118443 20101 > > /usr/local/ossec/active-response/bin/firewall-drop.sh add - 200.221.7.40 > 1208979566.1118443 20101 > > cat: "/etc/pf.conf": No such file or directory > > > > > > IN MANUAL THE SCRIPT DON'T SUCH FILE, THE I EDIT FILE AND SET THE PATH > /etc/pf.conf INSTEAD VARIABLE ${PFCTL_RULES} > > > > > > server joao /usr/local/ossec/logs # mcedit > ../active-response/bin/firewall-drop.sh > > mcedit ../active-response/bin/firewall-drop.sh > > > > > > TRY AGAIN: > > > > > > server joao /usr/local/ossec/logs # > /usr/local/ossec/active-response/bin/firewall-drop.sh add - 200.221.7.40 > 1208979566.1118443 20101 > > /usr/local/ossec/active-response/bin/firewall-drop.sh add - 200.221.7.40 > 1208979566.1118443 20101 > > > > > > ALL OK, BUT: > > > > > > server joao /usr/local/ossec/logs # pfctl -t ossec_fwtable -T show > > > > pfctl -t ossec_fwtable -T show > > server joao /usr/local/ossec/logs # > > > > > > TABLE STAYED CLEAR. > > > > > > > > > > > > > > > > > > > > > > On Wed, Apr 23, 2008 at 2:01 PM, Daniel Cid <[EMAIL PROTECTED]> wrote: > > > > > > > > Hi Kevin, > > > > > > The active responses are run by the ossec-execd process as root. So > > > there is no need to use sudo > > > in there... I initially thought about that, but since sudo is not > > > widely supported, I decided to stick with > > > running as root instead. > > > > > > Kivanio, > > > > > > Do you mind running the active response manually? Try > > > > > > # /bin/sh -x /var/ossec/active-response/bin/firewall-drop.sh add XXX > 192.168.2.1 > > > > > > And then check the content of the table: > > > > > > > > > # pfctl -t ossec_fwtable -T show > > > > > > If that doesn' t work, please show us the output from /bin/sh -x > > > (debugging enabled)... I tried this > > > over on OpenBSD and is working fine... > > > > > > > > > > > > Thanks, > > > > > > > > > -- > > > Daniel B. Cid > > > dcid ( at ) ossec.net > > > > > > > > > > > > > > -- > Kivanio Pereira Barbosa > Cel 8121-4248 > > www.eiqconsultoria.com.br