Hi Ryan, I am not too good in tuning up my active response or rules. Any tips on how to go about it?
On Tue, Nov 10, 2015 at 1:17 PM, Ryan Schulze <r...@dopefish.de> wrote: > Sounds like you may want to look into fine tuning your active response > and/or rules. > > On 11/9/2015 10:11 PM, frwa onto wrote: > > Hi Santiago, > I am just running as standalone so its not a manager or > agent. I have another machine for instance I am using the older ossec 2.7.1 > in that one I have tried say I got my phpymadmin and when I start browsing > huge data ossec will block me an only after some time I can login here is > the active response log as below. > > Tue Nov 10 11:48:12 MYT 2015 > /var/ossec/active-response/bin/firewall-drop.sh add - 10.212.134.200 > 1447127292.12356 31106 > Tue Nov 10 11:48:12 MYT 2015 /var/ossec/active-response/bin/host-deny.sh > add - 10.212.134.200 1447127292.12356 31106 > Tue Nov 10 11:58:42 MYT 2015 /var/ossec/active-response/bin/host-deny.sh > delete - 10.212.134.200 1447127292.12356 31106 > Tue Nov 10 11:58:42 MYT 2015 > /var/ossec/active-response/bin/firewall-drop.sh delete - 10.212.134.200 > 1447127292.12356 31106 > > I dont know what trigger is exactly but I know due to my browsing of huge > data and also how to overcome this issue? In my older version I saw this > error too > ossec-execd: INFO: Active response command not present: > '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this > system. > > This is my worry on the new machine using 2.8.1 the app might get block > from accessing the data. > > On Tuesday, November 10, 2015 at 9:18:45 AM UTC+8, Santiago Bassett wrote: >> >> Are you running an agent or the manager? I don't think OSSEC would block >> access to your mysql db. >> >> On Mon, Nov 9, 2015 at 8:19 AM, frwa onto <frwa...@gmail.com> wrote: >> >>> Hi, >>> I have centos server. I have managed to install ossec 2.8.1. It >>> mainly runs a socket programming app. For every instance of a connection it >>> will receive data and insert into mysql db. What I worried in what scenario >>> will it block the access to this local mysql db as I can see there some >>> rules for mysql? Sorry very new to these. >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/rdsEIi60ciM/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.