On Fri, Dec 17, 2010 at 7:27 AM, Ankush Grover <ankushos...@gmail.com> wrote: > Hi Friends, > > I have installed Ossec 2.5.1 on Centos 5.x machine and an agent*2.5.1) on > Windows XP where IIS is running. From another test machine (linux) I tried > to wget some false files from IIS server which resulted in 404 errors on IIS > server. I do get email alerts that where it is showing there are 400 error > codes but the offending ipaddress is not getting blocked as I am able to get > the correct files download from the IIS server at the same time. > >
Which rule are you getting emails for? 31101? This one is only level 5 and won't trigger your AR. I'm guessing 31151 should trigger it though. Does route-null.cmd log its activity anywhere? Did you check that log? I guess it's possible that the srcip isn't getting passed along from the 31151 rule. > Do let me know why the offending ipaddress is not getting blocked and also, > if you need any further information > > route print from the Windows Agent > > 172.16.4.134 255.255.255.255 172.16.4.184 172.16.4.184 1 > > Ossec.conf on the Windows Agent > <localfile> > <location>%WinDir%\System32\LogFiles\W3SVC1\ex%y%m%d.log</location> > <log_format>iis</log_format> > </localfile> > > > <command> > <name>win_nullroute</name> > <executable>route-null.cmd</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <active-response> > <command>win_nullroute</command> > <location>local</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > <active-response> > <disabled>no</disabled> > </active-response> > > >