On Mon, Nov 9, 2015 at 11:11 PM, frwa onto <[email protected]> wrote:
> Hi Santiago,
> I am just running as standalone so its not a manager or
> agent. I have another machine for instance I am using the older ossec 2.7.1
2.7.1 is way too old to provide much support for.
> in that one I have tried say I got my phpymadmin and when I start browsing
> huge data ossec will block me an only after some time I can login here is
> the active response log as below.
>
> Tue Nov 10 11:48:12 MYT 2015 /var/ossec/active-response/bin/firewall-drop.sh
> add - 10.212.134.200 1447127292.12356 31106
So rule 31106 is triggering the AR.
<rule id="31106" level="6">
<if_sid>31103, 31104, 31105</if_sid>
<id>^200</id>
<description>A web attack returned code 200 (success).</description>
<group>attack,</group>
</rule>
You'll have to go through 31103-31105 to try and get a more specific
understanding of what is triggering the alert.
(All of this is taken from a 2.8.3+ system, so details may be
different from 2.7.1)
> Tue Nov 10 11:48:12 MYT 2015 /var/ossec/active-response/bin/host-deny.sh add
> - 10.212.134.200 1447127292.12356 31106
> Tue Nov 10 11:58:42 MYT 2015 /var/ossec/active-response/bin/host-deny.sh
> delete - 10.212.134.200 1447127292.12356 31106
> Tue Nov 10 11:58:42 MYT 2015 /var/ossec/active-response/bin/firewall-drop.sh
> delete - 10.212.134.200 1447127292.12356 31106
>
> I dont know what trigger is exactly but I know due to my browsing of huge
> data and also how to overcome this issue? In my older version I saw this
> error too
> ossec-execd: INFO: Active response command not present:
> '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this
> system.
>
> This is my worry on the new machine using 2.8.1 the app might get block from
> accessing the data.
>
> On Tuesday, November 10, 2015 at 9:18:45 AM UTC+8, Santiago Bassett wrote:
>>
>> Are you running an agent or the manager? I don't think OSSEC would block
>> access to your mysql db.
>>
>> On Mon, Nov 9, 2015 at 8:19 AM, frwa onto <[email protected]> wrote:
>>>
>>> Hi,
>>> I have centos server. I have managed to install ossec 2.8.1. It
>>> mainly runs a socket programming app. For every instance of a connection it
>>> will receive data and insert into mysql db. What I worried in what scenario
>>> will it block the access to this local mysql db as I can see there some
>>> rules for mysql? Sorry very new to these.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to [email protected].
>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
