On Wed, Jul 5, 2017 at 12:52 AM, Tunguyen wrote:
> Hi everyone, here is my ossec.conf on the server:
>
>
>
> firewall-drop
> server,all
> 31152
> 600
> 30,60,90,120,150
>
>
> rule 31152 is:
>
>
> 31103
>
> Multiple SQL injection attempts from same
> souce ip.
> attack,sql_injection,
>
>
> After i tried to SQL injection to the agent using agent IP address, the rule
> 31152 fired, i still can connect to the agent IP, but i can't connect to the
> server IP, and i found out that i was blocked away from the server IP. If i
> change server, all into all, i was
> not blocked anymore by either server or agent. So are there anything
> happened to my config?
>
I don't think that option can accept multiple locations. Use 2
active-response configurations, one for the server and the other for
all.
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.