Ok, I have reinstalled ossec client and same problem ... It is searching ipfilter ...
On Mon, Apr 8, 2013 at 7:18 PM, dan (ddp) <ddp...@gmail.com> wrote: > On Mon, Apr 8, 2013 at 3:17 PM, C. L. Martinez <carlopm...@gmail.com> > wrote: > > Uhmm ... I do not remember but maybe can be the problem. I will try it > > tomorrow > > > > Thanks. I'll be working on the documentation to make this clearer and > to provide clear instructions on how to fix these types of issues. > > > > > On Monday, April 8, 2013, dan (ddp) <ddp...@gmail.com> wrote: > >> On Mon, Apr 8, 2013 at 10:36 AM, C. L. Martinez <carlopm...@gmail.com> > >> wrote: > >>> I am using FreeBSD 9.1 amd64 .. > >>> > >> > >> Did you have 'pf_enable="YES"' in your rc.conf when you installed > >> OSSEC? Not having that set it the only way I can see for the ipf > >> script to be put in place instead of the pf one. > >> > >>> > >>> On Mon, Apr 8, 2013 at 2:34 PM, dan (ddp) <ddp...@gmail.com> wrote: > >>>> > >>>> On Mon, Apr 8, 2013 at 10:29 AM, C. L. Martinez <carlopm...@gmail.com > > > >>>> wrote: > >>>> > Ok, using pf.sh script, works as expected. Can I reconfigure > >>>> > agent.conf > >>>> > to > >>>> > use pf.sh as active response instead firewall-drop.sh script only > for > >>>> > FreeBSD hosts ?? > >>>> > > >>>> > >>>> I don't think so. I'm pretty sure those are server side settings. The > >>>> problem is that firewall-drop.sh should contain the contents of pf.sh. > >>>> This should have been done during installation. > >>>> > >>>> What version of FreeBSD are you using? I don't like installing legacy > >>>> OSes, but I installed solaris recently so I guess I can install FBSD > >>>> as well for testing. > >>>> > >>>> > > >>>> > On Mon, Apr 8, 2013 at 2:25 PM, dan (ddp) <ddp...@gmail.com> wrote: > >>>> >> > >>>> >> On Mon, Apr 8, 2013 at 10:19 AM, C. L. Martinez > >>>> >> <carlopm...@gmail.com> > >>>> >> wrote: > >>>> >> > AFAIK, FreeBSD can use three different firewall types: ipf, ipfw > >>>> >> > and > >>>> >> > pf > >>>> >> > ... > >>>> >> > > >>>> >> > >>>> >> It looks like FreeBSD with pf enabled should be using pf.sh. Try > >>>> >> running the same command you did previously, but with pf.sh > instead. > >>>> >> If that works, copying it over firewall-drop.sh should be the way > to > >>>> >> go. > >>>> >> > >>>> >> I'll have a look at the installer logic to see if I can figure out > >>>> >> where this went wrong, so please report success failure of the > above. > >>>> >> > >>>> >> > > >>>> >> > On Mon, Apr 8, 2013 at 2:16 PM, dan (ddp) <ddp...@gmail.com> > wrote: > >>>> >> >> > >>>> >> >> On Mon, Apr 8, 2013 at 10:12 AM, C. L. Martinez > >>>> >> >> <carlopm...@gmail.com> > >>>> >> >> wrote: > >>>> >> >> > Correct, but for this reason, I ask the question ... > >>>> >> >> > > >>>> >> >> > >>>> >> >> Does freebsd use ipf anymore? Is it still a knob? > >>>> >> >> > >>>> >> >> > > >>>> >> >> > On Mon, Apr 8, 2013 at 2:09 PM, dan (ddp) <ddp...@gmail.com> > >>>> >> >> > wrote: > >>>> >> >> >> > >>>> >> >> >> On Mon, Apr 8, 2013 at 10:03 AM, C. L. Martinez > >>>> >> >> >> <carlopm...@gmail.com> > >>>> >> >> >> wrote: > >>>> >> >> >> > Yep, it is searching ipf ... > >>>> >> >> >> > > >>>> >> >> >> > root@itafbsd01:/data/logs/plain# /bin/sh -x > >>>> >> >> >> > /usr/local/ossec-hids/active-response/bin/firewall-drop.sh > >>>> >> >> >> > add > >>>> >> >> >> > - > >>>> >> >> >> > 10.196.0.15 > >>>> >> >> >> > + uname > >>>> >> >> >> > + UNAME=FreeBSD > >>>> >> >> >> > + ECHO=/bin/echo > >>>> >> >> >> > + GREP=/bin/grep > >>>> >> >> >> > + IPTABLES='' > >>>> >> >> >> > + IP4TABLES=/sbin/iptables > >>>> >> >> >> > + IP6TABLES=/sbin/ip6tables > >>>> >> >> >> > + IPFILTER=/sbin/ipf > >>>> >> >> >> > + [ XFreeBSD = XSunOS ] > >>>> >> >> >> > + GENFILT=/usr/sbin/genfilt > >>>> >> >> >> > + LSFILT=/usr/sbin/lsfilt > >>>> >> >> >> > + MKFILT=/usr/sbin/mkfilt > >>>> >> >> >> > + RMFILT=/usr/sbin/rmfilt > >>>> >> >> >> > + ARG1='' > >>>> >> >> >> > + ARG > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
