On Tue, Jun 14, 2016 at 9:53 AM, Zeal Vora <sunzealv...@gmail.com> wrote: > Indeed. I went through the machine logs and there are 2 entries ( many of > them with different IP ):- > > /var/ossec/active-response/bin/firewall-drop.sh add - X.X.X.X > 1465898743.25694869 5706 > /var/ossec/active-response/bin/host-deny.sh delete X.X.X.X * > > Is there any way to figure out on what exactly happened ? I checked the > active-responses.log in that client but cannot find any relevant entries. >
Go through the installation on a new agent, verify the iptables ruleset at various steps. I didn't see anything in the installation scripts, but I'm not using 2.8 either (although I see even fewer references to the binary in 2.8.2 sources).. > > > > On Tuesday, June 14, 2016 at 7:14:28 PM UTC+5:30, dan (ddpbsd) wrote: >> >> On Tue, Jun 14, 2016 at 9:42 AM, dan (ddp) <ddp...@gmail.com> wrote: >> > On Tue, Jun 14, 2016 at 9:13 AM, Zeal Vora <sunze...@gmail.com> wrote: >> >> Yes. In the active-response I do see various entries of adding IP's to >> >> host-deny.sh >> >> >> >> /var/ossec/active-response/bin/host-deny.sh delete - X.X.X.X >> >> 1465234313.25970854 5720. >> >> >> >> Also, host-deny.sh only deals with the hosts.deny file, so that entry >> should be unrelated. >> The script that deals with the firewall is firewall-drop.sh, I believe. >> >> >> However I am not sure on what caused OSSEC to flush all the iptables >> >> rules. >> >> We installed it yesterday and in all the machines it flushed the >> >> iptables >> >> rules. >> >> >> > >> > Did it flush during installation, or after at some point? I've just >> > installed from the master repo and it didn't flush the firewall rules. >> > I don't have any active responses setup on these machines though. >> > >> > >> >> >> >> >> >> On Tuesday, June 14, 2016 at 6:39:55 PM UTC+5:30, dan (ddpbsd) wrote: >> >>> >> >>> On Tue, Jun 14, 2016 at 9:01 AM, Zeal Vora <sunze...@gmail.com> wrote: >> >>> > I'm using the latest version of OSSEC ( 2.8 ) and yes active >> >>> > response is >> >>> > enabled. >> >>> > >> >>> >> >>> The latest version is 2.8.3. >> >>> >> >>> > So currently OSSEC clients are actively blocking attacks but due to >> >>> > some >> >>> > reason they have also flushed all the iptables rules from memory ( >> >>> > like >> >>> > iptables -F ) >> >>> > >> >>> >> >>> Are there any entries in the activeresponse log file that might shed a >> >>> clue? >> >>> >> >>> > On Tuesday, June 14, 2016 at 6:24:52 PM UTC+5:30, dan (ddpbsd) >> >>> > wrote: >> >>> >> >> >>> >> On Tue, Jun 14, 2016 at 8:17 AM, Zeal Vora <sunze...@gmail.com> >> >>> >> wrote: >> >>> >> > Hi >> >>> >> > >> >>> >> > We installed OSSEC in our production machines yesterday and today >> >>> >> > we >> >>> >> > saw >> >>> >> > that all the iptables rules in all the machines were flushed. >> >>> >> > Something >> >>> >> > similar to iptables -F >> >>> >> > >> >>> >> > Any idea on what can cause this ? I am aware that OSSEC >> >>> >> > active-response >> >>> >> > can >> >>> >> > add or remove entries from iptables but have never knew about >> >>> >> > flushing >> >>> >> > entire iptables rules. >> >>> >> > >> >>> >> > Any help will be appreciated.! >> >>> >> > >> >>> >> >> >>> >> Which version of OSSEC? Is active response enabled? >> >>> >> >> >>> >> > >> >>> >> > -- >> >>> >> > >> >>> >> > --- >> >>> >> > You received this message because you are subscribed to the >> >>> >> > Google >> >>> >> > Groups >> >>> >> > "ossec-list" group. >> >>> >> > To unsubscribe from this group and stop receiving emails from it, >> >>> >> > send >> >>> >> > an >> >>> >> > email to ossec-list+...@googlegroups.com. >> >>> >> > For more options, visit https://groups.google.com/d/optout. >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups >> >>> > "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> >>> > send >> >>> > an >> >>> > email to ossec-list+...@googlegroups.com. >> >>> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to ossec-list+...@googlegroups.com. >> >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
