Hi Darvin,
If you look at the file /var/ossec/logs/active-responses.log you will
see a list of all active responses:
Sun Apr 12 03:18:46 ADT 2009
/var/ossec/active-response/bin/firewall-drop.sh add - 211.140.13.19
1239517126.7334 5706
Sun Apr 12 18:58:22 ADT 2009
/var/ossec/active-response/bin/host-deny.sh add - 202.100.219.81
1239573502.49820 5706
Sun Apr 12 18:58:23 ADT 2009
/var/ossec/active-response/bin/firewall-drop.sh add - 202.100.219.81
1239573502.49820 5706
Sun Apr 12 19:08:56 ADT 2009
/var/ossec/active-response/bin/host-deny.sh add - 202.100.219.81
1239574135.50684 5706
Sun Apr 12 19:08:56 ADT 2009
/var/ossec/active-response/bin/firewall-drop.sh add - 202.100.219.81
1239574135.50684 5706
Wed Apr 15 10:19:14 ADT 2009
/var/ossec/active-response/bin/firewall-drop.sh add - 200.55.1.162
1239801553.31766 5706
The last argument is the rule that generated it ...That should give
what you want.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Apr 14, 2009 at 12:33 PM, Darvin Denmian
<darvin.denm...@gmail.com> wrote:
>
> Maddler,
> your solution is good, but i need to know what ossec rule triggered
> the "active response" .
> Thanks for reply!!!
>
> On Tue, Apr 14, 2009 at 12:15 PM, William Maddler <n...@maddler.net> wrote:
>>
>> On 14/04/2009 16:01, Darvin Denmian wrote:
>>> Hello,
>>>
>>> i have a application server, and looking at the iptables rules I
>>> realized that there where a lot of blocking rules.
>>> I need to know what is happening to trigger these "active responses"
>>> or what rule generate these responses.
>>>
>>> Can anyone help me?
>>>
>>> Sorry for the bad English.
>>>
>>>
>> I solved this using comment module for iptables and slightly modified
>> firewall-drop.sh script:
>> # We should run on linux
>> if [ "X${UNAME}" = "XLinux" ]; then
>> if [ "x${ACTION}" = "xadd" ]; then
>> ARG1="-I INPUT -s ${IP} -j DROP -m comment --comment SID:$5"
>>
>> Adding timestamp is trivial as well.
>>
>> Hope this helps
>>
>> Maddler
>>
>>
>
