-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Jun 19, 2011, at 6:09 PM, pierz wrote:
Yes exactly, regarding the manual, this is the purpose of the
locationall/location statement.
But agents doesn't block IP if the attack occur on the server.
That seems to be correct. I haven't tried
What OS are your agents running on?
On Sun, Jun 19, 2011 at 6:09 PM, pierz pierz.h...@gmail.com wrote:
Yes exactly, regarding the manual, this is the purpose of the
locationall/location statement.
But agents doesn't block IP if the attack occur on the server.
On 17 juin, 02:09, Jason
Yes exactly, regarding the manual, this is the purpose of the
locationall/location statement.
But agents doesn't block IP if the attack occur on the server.
On 17 juin, 02:09, Jason Frisvold xenoph...@godshell.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Jun 16, 2011, at 1:59
Hi Daniel:
Welcome to the human race smile, and thank you for letting me know
about having two entries.
I'm testing that now.
Thank you again.
Greetings Daniel:
The all|server in location ended up just putting the active-response
on the server, and missed all of the agents.
If I used two sets of active responses (same sid's), one with location
all and one with location server, would that work or would the last
set overwrite the first
Greetings Daniel:
The all|server in location ended up just putting the active-response
on the server, and missed all of the agents.
If I used two sets of active responses (same sid's), one with location
all and one with location server, would that work or would the last
set overwrite the first
Hi Daniel:
Thank you.
Hi Daniel:
I just found out that the all|server ends up just using active-
response on the server. The agents were not updated -- not on the
initial receiving agent, or any of the other agents.
Please advise.
Thank you.
Hi Peter,
Just changing the config to the following should to it:
locationall|server/location
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Nov 28, 2007 2:26 PM, Peter M. Abraham [EMAIL PROTECTED] wrote:
Greetings:
We use the locationall/location in active-response to block
Hi Peter,
They should happen almost at the same time, with the active response before
the e-mail (most of the time). Basically, as soon as the alert is
fired, it is sent to the os-remoted (on the server), which forwards to
the correct agent.
Hope it helps.
--
Daniel B. Cid
dcid ( at )
Hi Peter,
Note that the timeout for the active response is of 10 minutes, so
after that the ip is going to be removed from block list. If you look
at /var/ossec/logs/active-responses.log do you
see the responses being called? (look at the agent that generated the
alert and not at
the server). If
11 matches
Mail list logo
