Open chenfan0307 opened 6 years ago
there are two scripts in active_response folder which have similar name, firewalld-drop.sh
and firewall-drop.sh
scripts. Used the firewall-drop.sh
scripts files. That is for iptables.
root@debian:/home/debian# ls -al /var/ossec/active-response/bin/
total 68
drwxr-x--- 2 root ossec 4096 May 19 08:02 .
drwxr-x--- 3 root ossec 4096 Apr 3 04:05 ..
-rwxr-x--- 1 root ossec 141 Jul 8 10:33 block-IP.sh
-rwxr-x--- 1 root ossec 1711 Mar 3 10:05 disable-account.sh
-rwxr-x--- 1 root ossec 3952 Mar 3 10:05 firewalld-drop.sh
-rwxr-x--- 1 root ossec 6739 Mar 3 10:05 firewall-drop.sh
-rwxr-x--- 1 root ossec 3151 Mar 3 10:05 host-deny.sh
-rwxr-x--- 1 root ossec 800 Mar 3 10:05 ip-customblock.sh
-rwxr-x--- 1 root ossec 1617 Mar 3 10:05 ipfw_mac.sh
-rwxr-x--- 1 root ossec 1385 Mar 3 10:05 ipfw.sh
-rwxr-x--- 1 root ossec 1305 Mar 3 10:05 npf.sh
-rwxr-x--- 1 root ossec 1368 Mar 3 10:05 ossec-slack.sh
-rwxr-x--- 1 root ossec 1636 Mar 3 10:05 ossec-tweeter.sh
-rwxr-x--- 1 root ossec 1949 Mar 3 10:05 pf.sh
-rwxr-x--- 1 root ossec 542 Mar 3 10:05 restart-ossec.sh
-rwxr-x--- 1 root ossec 1182 Mar 3 10:05 route-null.sh
active-response with ossec need use iptables, the default is firewalld, when i used iptables, it will not work. i don't know what to do when i used iptables.