James,
please check the active-responses.log on the respective agent/device.
and you might want to consider upgrading to a new version, because maybe
there was indeed a bug in active response that has been addressed and fixed
with a more recent version. Current Stable Version is 2.8.3 but if
Active response is acting up abnormally in 2.8.1
Active response is enabled.
Subnets are whitelisted in ossec.conf on the server.
The server and the agents have all been restarted over the past few months
during patching cycles.
Last week my boss was locked out by active response while
Hi Oliver,
It seems that you configured the white_list on the agent side, but it should be
set on the server's ossec.conf. That's probably why it didn't work.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Sat, Dec 13, 2008 at 2:22 PM, Oliver Jagape
oliver.jag...@concentrix.com wrote:
I
I think so, I also remember restarting it several times, but still
whenever some user from this x.x.x.x ip got multiple login failure,
active-response blacklisted it.
note that I already put this ip inside white_list
global
white_list127.0.0.1/white_list
Did you remember to restart OSSEC? (hangs his head in shame) I've been caught
by that one a few times..
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On
Behalf Of Oliver Jagape
Sent: Friday, December 12, 2008 10:25 AM
To: