Are you sure it was OSSEC? I just had a look at
https://github.com/ossec/ossec-hids/blob/master/active-response/firewall-drop.sh
The only iptables commands it does are the following four, and I
can't see how they would flush an entire table/chain.
iptables -I INPUT -s ${IP} -j DROP
iptables -I FORWARD -s ${IP} -j DROP
iptables -D INPUT -s ${IP} -j DROP
iptables -D FORWARD -s ${IP} -j DROP
Do you have any other scripts running to manage your iptables
that may conflict with the ossec active response script?
--