Re: [ossec-list] Active Response location question

Wed, 07 Jun 2017 12:40:05 -0700 

On Jun 7, 2017 2:09 PM, "sandaway" <junjun....@gmail.com> wrote:

I really need some help. It looks my OSSEC setup, a server and two clients,
could not run active response properly. From the active-responses.log, the
firewall-drop.sh command runs either on server or clients, depending on the
<location> I set as in the following example.

  <!-- Active Response Config -->
  <active-response>
    <!-- Firewall Drop response. Block the IP for
       - 600 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
    <command>firewall-drop</command>
    <location>all, server</location>
    <level>6</level>
    <timeout>600</timeout>
    <repeated_offenders>30,60,120</repeated_offenders>
  </active-response>


When I use "<location>all</location>", two clients run the same
firewall-drop.sh, but not the server:
Client 1:
Wed Jun  7 12:51:59 EDT 2017 /var/ossec/active-response/bin/firewall-drop.sh
add - 188.17.251.42 1496854297.9113366 5706
Wed Jun  7 13:02:30 EDT 2017 /var/ossec/active-response/bin/firewall-drop.sh
delete - 188.17.251.42 1496854297.9113366 5706

Client 2:
Wed Jun  7 12:53:28 EDT 2017 /var/ossec/active-response/bin/firewall-drop.sh
add - 188.17.251.42 1496854297.9113366 5706
Wed Jun  7 13:03:58 EDT 2017 /var/ossec/active-response/bin/firewall-drop.sh
delete - 188.17.251.42 1496854297.9113366 5706

The event was triggered on Client 2 based on the examination of secure log.
The system time is a bit off.

When I use "<location>server</location>" or "<location>all,
server</location>", then active response only runs on the server. No action
on the clients.

My question is how I should configure ossec so that active response runs on
both server and clients?


Have 2 active response blocks, one for the server and one for all.



Please help.

-- 

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to