[ossec-list] Re: white list specific ip on active response
James, please check the active-responses.log on the respective agent/device. and you might want to consider upgrading to a new version, because maybe there was indeed a bug in active response that has been addressed and fixed with a more recent version. Current Stable Version is 2.8.3 but if you plan to upgrade I would go for 2.9 ( https://github.com/ossec/ossec-hids/releases/tag/v2.9.0beta06) as this will soon be the next official release. Am Donnerstag, 19. Mai 2016 18:37:06 UTC+2 schrieb James Siegel: > > Active response is acting up abnormally in 2.8.1 > > Active response is enabled. > Subnets are whitelisted in ossec.conf on the server. > The server and the agents have all been restarted over the past few months > during patching cycles. > > Last week my boss was locked out by active response while demonstrating > something during a webex/team call. > > Last night, the CEO was locked out of a different box. > > Both of their devices were in a whitelisted subnet range. > > In the case of my boss, he was logged in, and tried to su up to root and > that is when it happened. > > The CEO tried logging in to a box and was locked out. > > My boss has asked me to reach out and see if anyone else is having issues. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: white list specific ip on active response
Active response is acting up abnormally in 2.8.1 Active response is enabled. Subnets are whitelisted in ossec.conf on the server. The server and the agents have all been restarted over the past few months during patching cycles. Last week my boss was locked out by active response while demonstrating something during a webex/team call. Last night, the CEO was locked out of a different box. Both of their devices were in a whitelisted subnet range. In the case of my boss, he was logged in, and tried to su up to root and that is when it happened. The CEO tried logging in to a box and was locked out. My boss has asked me to reach out and see if anyone else is having issues. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: white list specific ip on active response
Hi Oliver, It seems that you configured the white_list on the agent side, but it should be set on the server's ossec.conf. That's probably why it didn't work. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Sat, Dec 13, 2008 at 2:22 PM, Oliver Jagape oliver.jag...@concentrix.com wrote: I think so, I also remember restarting it several times, but still whenever some user from this x.x.x.x ip got multiple login failure, active-response blacklisted it. note that I already put this ip inside white_list global white_list127.0.0.1/white_list white_list10.1.0.0/16/ white_list white_listx.x.x.x/white_list /global btw, here's my ossec.conf ossec_config client server-ip192.168.1.254/server-ip /client global white_list127.0.0.1/white_list white_listx.x.x.x/white_list - changed the actual IP white_list10.10.0.0/16/white_list white_list10.14.0.0/16/white_list /global syscheck !-- Frequency that syscheck is executed - default to every 6 hours -- frequency21600/frequency !-- Directories to check (perform all possible verifications) -- directories check_all=yes/etc,/usr/bin,/usr/sbin/directories directories check_all=yes/bin,/sbin/directories !-- Files/directories to ignore -- ignore/etc/mtab/ignore ignore/etc/mnttab/ignore ignore/etc/hosts.deny/ignore ignore/etc/mail/statistics/ignore ignore/etc/random-seed/ignore ignore/etc/adjtime/ignore ignore/etc/httpd/logs/ignore ignore/etc/utmpx/ignore ignore/etc/wtmpx/ignore ignore/etc/cups/certs/ignore ignore/etc/dumpdates/ignore ignore/etc/svc/volatile/ignore !-- Windows files to ignore -- ignoreC:\WINDOWS/System32/LogFiles/ignore ignoreC:\WINDOWS/Debug/ignore ignoreC:\WINDOWS/WindowsUpdate.log/ignore ignoreC:\WINDOWS/iis6.log/ignore ignoreC:\WINDOWS/system32/wbem/Logs/ignore ignoreC:\WINDOWS/system32/wbem/Repository/ignore ignoreC:\WINDOWS/Prefetch/ignore ignoreC:\WINDOWS/PCHEALTH/HELPCTR/DataColl/ignore ignoreC:\WINDOWS/SoftwareDistribution/ignore ignoreC:\WINDOWS/Temp/ignore ignoreC:\WINDOWS/system32/config/ignore ignoreC:\WINDOWS/system32/spool/ignore ignoreC:\WINDOWS/system32/CatRoot/ignore /syscheck rootcheck rootkit_files/var/ossec/etc/shared/rootkit_files.txt/rootkit_files rootkit_trojans/var/ossec/etc/shared/rootkit_trojans.txt/rootkit_trojans /rootcheck !-- Files to monitor (localfiles) -- localfile log_formatsyslog/log_format location/var/log/messages/location /localfile localfile log_formatsyslog/log_format location/var/log/secure/location /localfile localfile log_formatsyslog/log_format location/var/log/xferlog/location /localfile localfile log_formatsyslog/log_format location/var/log/maillog/location /localfile localfile log_formatsyslog/log_format location/var/log/amavis.log/location /localfile localfile log_formatapache/log_format location/var/log/httpd/error_log/location /localfile localfile log_formatapache/log_format location/var/log/httpd/access_log/location /localfile localfile log_formatapache/log_format location/etc/httpd/logs/access_log/location /localfile localfile log_formatapache/log_format location/etc/httpd/logs/error_log/location /localfile localfile log_formatapache/log_format location/etc/httpd/logs/*log/location /localfile localfile log_formatsyslog/log_format location/var/log/amavis.log/location /localfile /ossec_config Dave Cushing wrote: Did you remember to restart OSSEC? (hangs his head in shame) I've been caught by that one a few times.. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of Oliver Jagape Sent: Friday, December 12, 2008 10:25 AM To: ossec-list@googlegroups.com; Dave Cushing Subject: [ossec-list] white list specific ip on active response Hi, I've been reading the wiki, this is related to ignoring specific ip on active response, it says in the example global white_list127.0.0.1/white_list white_list10.1.0.0/16/white_list white_list1.2.3.4/white_list /global am I correct to put it at ossec.conf?, or there's a particular conf file where I should put this.? coz, putting this at ossec.conf, the ip that should be ignored still being blacklisted by active response. tia Oliver E1385kCWRPvFl1nUNE2j Oliver
[ossec-list] Re: white list specific ip on active response
I think so, I also remember restarting it several times, but still whenever some user from this x.x.x.x ip got multiple login failure, active-response blacklisted it. note that I already put this ip inside white_list global white_list127.0.0.1/white_list white_list10.1.0.0/16/white_list white_listx.x.x.x/white_list /global btw, here's my ossec.conf *ossec_config client server-ip192.168.1.254/server-ip /client **global white_list127.0.0.1/white_list white_listx.x.x.x/white_list - changed the actual IP white_list10.10.0.0/16/white_list white_list10.14.0.0/16/white_list /global* * syscheck !-- Frequency that syscheck is executed - default to every 6 hours -- frequency21600/frequency !-- Directories to check (perform all possible verifications) -- directories check_all=yes/etc,/usr/bin,/usr/sbin/directories directories check_all=yes/bin,/sbin/directories !-- Files/directories to ignore -- ignore/etc/mtab/ignore ignore/etc/mnttab/ignore ignore/etc/hosts.deny/ignore ignore/etc/mail/statistics/ignore ignore/etc/random-seed/ignore ignore/etc/adjtime/ignore ignore/etc/httpd/logs/ignore ignore/etc/utmpx/ignore ignore/etc/wtmpx/ignore ignore/etc/cups/certs/ignore ignore/etc/dumpdates/ignore ignore/etc/svc/volatile/ignore !-- Windows files to ignore -- ignoreC:\WINDOWS/System32/LogFiles/ignore ignoreC:\WINDOWS/Debug/ignore ignoreC:\WINDOWS/WindowsUpdate.log/ignore ignoreC:\WINDOWS/iis6.log/ignore ignoreC:\WINDOWS/system32/wbem/Logs/ignore ignoreC:\WINDOWS/system32/wbem/Repository/ignore ignoreC:\WINDOWS/Prefetch/ignore ignoreC:\WINDOWS/PCHEALTH/HELPCTR/DataColl/ignore ignoreC:\WINDOWS/SoftwareDistribution/ignore ignoreC:\WINDOWS/Temp/ignore ignoreC:\WINDOWS/system32/config/ignore ignoreC:\WINDOWS/system32/spool/ignore ignoreC:\WINDOWS/system32/CatRoot/ignore /syscheck rootcheck rootkit_files/var/ossec/etc/shared/rootkit_files.txt/rootkit_files rootkit_trojans/var/ossec/etc/shared/rootkit_trojans.txt/rootkit_trojans /rootcheck !-- Files to monitor (localfiles) -- localfile log_formatsyslog/log_format location/var/log/messages/location /localfile localfile log_formatsyslog/log_format location/var/log/secure/location /localfile localfile log_formatsyslog/log_format location/var/log/xferlog/location /localfile localfile log_formatsyslog/log_format location/var/log/maillog/location /localfile localfile log_formatsyslog/log_format location/var/log/amavis.log/location /localfile localfile log_formatapache/log_format location/var/log/httpd/error_log/location /localfile localfile log_formatapache/log_format location/var/log/httpd/access_log/location /localfile localfile log_formatapache/log_format location/etc/httpd/logs/access_log/location /localfile localfile log_formatapache/log_format location/etc/httpd/logs/error_log/location /localfile localfile log_formatapache/log_format location/etc/httpd/logs/*log/location /localfile localfile log_formatsyslog/log_format location/var/log/amavis.log/location /localfile /ossec_config* Dave Cushing wrote: Did you remember to restart OSSEC? (hangs his head in shame) I've been caught by that one a few times.. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of Oliver Jagape Sent: Friday, December 12, 2008 10:25 AM To: ossec-list@googlegroups.com; Dave Cushing Subject: [ossec-list] white list specific ip on active response Hi, I've been reading the wiki, this is related to ignoring specific ip on active response, it says in the example global white_list127.0.0.1/white_list white_list10.1.0.0/16/white_list white_list1.2.3.4/white_list /global am I correct to put it at ossec.conf?, or there's a particular conf file where I should put this.? coz, putting this at ossec.conf, the ip that should be ignored still being blacklisted by active response. tia Oliver E1385kCWRPvFl1nUNE2j Oliver
[ossec-list] Re: white list specific ip on active response
Did you remember to restart OSSEC? (hangs his head in shame) I've been caught by that one a few times.. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of Oliver Jagape Sent: Friday, December 12, 2008 10:25 AM To: ossec-list@googlegroups.com; Dave Cushing Subject: [ossec-list] white list specific ip on active response Hi, I've been reading the wiki, this is related to ignoring specific ip on active response, it says in the example global white_list127.0.0.1/white_list white_list10.1.0.0/16/white_list white_list1.2.3.4/white_list /global am I correct to put it at ossec.conf?, or there's a particular conf file where I should put this.? coz, putting this at ossec.conf, the ip that should be ignored still being blacklisted by active response. tia Oliver E1385kCWRPvFl1nUNE2j