Hi Darvin, If you look at the file /var/ossec/logs/active-responses.log you will see a list of all active responses:
Sun Apr 12 03:18:46 ADT 2009 /var/ossec/active-response/bin/firewall-drop.sh add - 211.140.13.19 1239517126.7334 5706 Sun Apr 12 18:58:22 ADT 2009 /var/ossec/active-response/bin/host-deny.sh add - 202.100.219.81 1239573502.49820 5706 Sun Apr 12 18:58:23 ADT 2009 /var/ossec/active-response/bin/firewall-drop.sh add - 202.100.219.81 1239573502.49820 5706 Sun Apr 12 19:08:56 ADT 2009 /var/ossec/active-response/bin/host-deny.sh add - 202.100.219.81 1239574135.50684 5706 Sun Apr 12 19:08:56 ADT 2009 /var/ossec/active-response/bin/firewall-drop.sh add - 202.100.219.81 1239574135.50684 5706 Wed Apr 15 10:19:14 ADT 2009 /var/ossec/active-response/bin/firewall-drop.sh add - 200.55.1.162 1239801553.31766 5706 The last argument is the rule that generated it ...That should give what you want. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Apr 14, 2009 at 12:33 PM, Darvin Denmian <darvin.denm...@gmail.com> wrote: > > Maddler, > your solution is good, but i need to know what ossec rule triggered > the "active response" . > Thanks for reply!!! > > On Tue, Apr 14, 2009 at 12:15 PM, William Maddler <n...@maddler.net> wrote: >> >> On 14/04/2009 16:01, Darvin Denmian wrote: >>> Hello, >>> >>> i have a application server, and looking at the iptables rules I >>> realized that there where a lot of blocking rules. >>> I need to know what is happening to trigger these "active responses" >>> or what rule generate these responses. >>> >>> Can anyone help me? >>> >>> Sorry for the bad English. >>> >>> >> I solved this using comment module for iptables and slightly modified >> firewall-drop.sh script: >> # We should run on linux >> if [ "X${UNAME}" = "XLinux" ]; then >> if [ "x${ACTION}" = "xadd" ]; then >> ARG1="-I INPUT -s ${IP} -j DROP -m comment --comment SID:$5" >> >> Adding timestamp is trivial as well. >> >> Hope this helps >> >> Maddler >> >> >