With a default agent installation of 2.9rc3 with active response included, I
was surprised by a few things:
1. Too frequent connections, even successful ones with valid logins, to an
ftp or sftp server are considered an attack and blocked for a time. This
was unfortunate, since we use both h
On Nov 11, 2016 4:11 PM, "Whit Blauvelt" wrote:
>
> With a default agent installation of 2.9rc3 with active response
included, I
> was surprised by a few things:
>
> 1. Too frequent connections, even successful ones with valid logins, to an
>ftp or sftp server are considered an attack and bloc
On Fri, Nov 11, 2016 at 07:10:51PM -0500, dan (ddp) wrote:
> On Nov 11, 2016 4:11 PM, "Whit Blauvelt" wrote:
> >
> > With a default agent installation of 2.9rc3 with active response included, I
> > was surprised by a few things:
> >
> > 1. Too frequent connections, even successful ones with valid
On Mon, Nov 14, 2016 at 10:51 AM, Whit Blauvelt wrote:
> On Fri, Nov 11, 2016 at 07:10:51PM -0500, dan (ddp) wrote:
>> On Nov 11, 2016 4:11 PM, "Whit Blauvelt" wrote:
>> >
>> > With a default agent installation of 2.9rc3 with active response included,
>> > I
>> > was surprised by a few things:
>
Hi Dan,
Since I skipped answering this:
On Mon, Nov 14, 2016 at 11:09:52AM -0500, dan (ddp) wrote:
> > Except in a context of anon FTP servers (does anyone run those any more?)
> > blocking IPs because they connect using valid logins "too often" is a
> > dangerous default. "First, do no harm."
>
My 2 cents:
1) I got tripped up by the fact that the default alert level to trigger an
active response is 6, while the default alert level to trigger an email is
7. There were a number of times when communication between 2 internal hosts
on my network suddenly stopped working, then mysteriously st
On Fri, Nov 18, 2016 at 10:06 AM, Whit Blauvelt wrote:
> Hi Dan,
>
> Since I skipped answering this:
>
> On Mon, Nov 14, 2016 at 11:09:52AM -0500, dan (ddp) wrote:
>
>> > Except in a context of anon FTP servers (does anyone run those any more?)
>> > blocking IPs because they connect using valid lo
On Fri, Nov 18, 2016 at 6:00 PM, Christina Plummer wrote:
> My 2 cents:
>
> 1) I got tripped up by the fact that the default alert level to trigger an
> active response is 6, while the default alert level to trigger an email is
> 7. There were a number of times when communication between 2 interna