I think the answer is no. When I use null route to block an IP for a given agent, if I manually remove that null route for an IP (i dont know if the null route was there previous to ossec agent null routing it), then the agent wont re-null route the IP until the timeout has happened or I restart the agent. Perhaps the answer for you is to use a block mechanism that is unique to ossec agent and not anything else.
Sorry I couldnt help more. On Thursday, April 5, 2012 8:08:15 AM UTC-7, Joel Oliveira wrote: > > Hello, > > Just bumping this issue. Does anyone know anything about this? > > Thanks, > Joel Oliveira > > Quarta-feira, 21 de Março de 2012 16h58min44s UTC, Joel Oliveira escreveu: >> >> Hello Daniel and all, >> >> I am using OSSEC 2.5.1 on different Linux environments for the past year >> and half with OpenSIPs and Asterisk applications to ban SIP brute-forcing >> attackers and of course it is doing its job very well. Thank you to all >> people involved with the development of this software. >> >> So, for the past 2 days I've been in a battle with having a way to check >> which IPs are blocked by OSSEC-Server in an agent. I know that if I look >> into the active-responses.log I'll see what were the actions taken in a >> certain agent ( add and delete from the Iptables ) and if I look on the >> IPTables I'll be able to see the blocked IPs as well. But in an agent that >> the IPtables are complex there is no way of making sure that I am looking >> at OSSEC inserted rules. >> >> My theory is that the server or the agent knows the association between >> the timeout, the blocked IP and the agent so that it can remove that >> active-response ( rule on the IPTable ) just after the timeout occured. >> Question is: where can I find that association, i.e where is the list of >> the blocked IPs of an agent? >> >> I already looked into this list and the IRC channel and didn't find any >> information regarding this which for me it's odd because it seems to me >> that this should be a functionality asked by a lot of people. >> >> On the same page of this problem I would like to know if it's possible to >> remove an IPTable rule without doing an "iptables -D" and without >> restarting the agent. You see, if I remove a rule "by hand", and because I >> am using timeouts of 24h, if the attacker tries again it'll send >> email_alerts but it'll not apply the active-response. So, my other question >> is: Is it possible to remove an active response before it's timeout where >> the agent is aware of that? >> >> Thank you very much for your time. Best Regards, >> Joel Oliveira >> >