subject:"\[ossec\-list\] Active\-response firewall\-drop server IP instead of agent IP when fired an agent rule"

Re: [ossec-list] Active-response firewall-drop server IP instead of agent IP when fired an agent rule

2017-07-05 Thread dan (ddp)

On Wed, Jul 5, 2017 at 12:52 AM, Tunguyen  wrote:
> Hi everyone, here is my ossec.conf on the server:
>
>   
> 
> firewall-drop
> server,all
> 31152
> 600
> 30,60,90,120,150
>   
>
> rule 31152 is:
>
>   
> 31103
> 
> Multiple SQL injection attempts from same 
> souce ip.
> attack,sql_injection,
>   
>
> After i tried to SQL injection to the agent using agent IP address, the rule
> 31152 fired, i still can connect to the agent IP, but i can't connect to the
> server IP, and i found out that i was blocked away from the server IP. If i
> change server, all into all, i was
> not blocked anymore by either server or agent. So are there anything
> happened to my config?
>

I don't think that option can accept multiple locations. Use 2
active-response configurations, one for the server and the other for
all.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Active-response firewall-drop server IP instead of agent IP when fired an agent rule

2017-07-04 Thread Tunguyen

Hi everyone, here is my ossec.conf on the server:

  

firewall-drop
server,all
31152
600
30,60,90,120,150
  

rule 31152 is:

  
31103

Multiple SQL injection attempts from same 
souce ip.
attack,sql_injection,
  

After i tried to SQL injection to the agent using agent IP address, the 
rule 31152 fired, i still can connect to the agent IP, but i can't connect 
to the server IP, and i found out that i was blocked away from the server 
IP. If i change server, all into 
all, i was not blocked anymore by either server or 
agent. So are there anything happened to my config?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Active-response firewall-drop server IP instead of agent IP when fired an agent rule

[ossec-list] Active-response firewall-drop server IP instead of agent IP when fired an agent rule

2 matches

Site Navigation

Mail list logo

Footer information