On Tue, Aug 21, 2012 at 2:50 PM, Gil Vidals <gvid...@gmail.com> wrote: > Dan, > > Can you tell me specifically what file to clear AND will this resolve the > following condition: > > 1) active response drops an IP as planned > 2) sysadmin restarts the firewall (which clears all the IP drop rules) > 3) ossec believes the drop is still in place, but it isn't! > > Gil Vidals >
I don't understand the problem in the above scenario. What are you trying to achieve specifically? Are you worried that the admin removed the block and OSSEC won't re-block it until after it's remove the block? Don't remove the block on the host. Or save the OSSEC blocked hosts and reload them when the firewall is reloaded. I don't know where that info is kept on the OSSEC server, possibly just in memory. > > On Tue, Aug 21, 2012 at 10:50 AM, dan (ddp) <ddp...@gmail.com> wrote: >> >> On Tue, Aug 21, 2012 at 1:37 PM, Gil Vidals <gvid...@gmail.com> wrote: >> > How can I clear the ossec db for the active responses? I'm not using >> > mysql >> > for ossec. I have installed whatever the default db is. >> > >> > I don't need to clear the sys checks; instead I want to clear the active >> > responses. Is there a way to do this? >> > >> > -- >> > Gil Vidals >> > >> > CONFIDENTIALITY NOTICE: The information contained in this transmission >> > may >> > contain privileged and confidential information. It is intended only >> > for >> > the use of the person(s) named above. If you are not the intended >> > recipient, please contact the sender by reply email and permanently >> > delete >> > the original message. >> > >> >> By default OSSEC only logs to text files. I guess you could stop the >> OSSEC processes, clear the file, and start OSSEC back up. > > > > > -- > Gil Vidals > > CONFIDENTIALITY NOTICE: The information contained in this transmission may > contain privileged and confidential information. It is intended only for > the use of the person(s) named above. If you are not the intended > recipient, please contact the sender by reply email and permanently delete > the original message. >