active-response with firewall-drop hanging / not blocking

[Werner Stocker]

Dear all

I have a strange OSSEC behaviour on an OpenSUSE Leap 15.1 x64 machine:

I configured active-response with firewall-drop. And I have seen, that iptables sometimes doesn't have any drop rules init, even if the active-response log should have added entries.

I nailed the problem down to some strange error messages in the log:

Tue Jun  2 19:01:26 CEST 2020 Unable to run (iptables returning != 1): 1 - /var/ossec/active-response/bin/firewall-drop.sh delete - 87.246.7.70

So I tried to run the adding and removing of IP addresses manually with:

/var/ossec/active-response/bin/firewall-drop.sh add - 87.246.7.70

/var/ossec/active-response/bin/firewall-drop.sh delete - 87.246.7.70

For a few minutes it works when I repeat these steps. But then suddenly the behaviour changes. Strangely I get sometimes with the delete command these errors:

iptables: Bad rule (does a matching rule exist in that chain?).

Also sometimes the adding of an IP just hangs and never ends until I press Ctrl + C on the command line.

How can I debug, why the firewall-drop.sh script is not working properly? It is very difficult to do so just with so few error messages giving no clue.

Best regards

Werner