Hi Dimitri,
If I understood you correctly, you want to execute all the responses on your firewall, right? If this is correct, follow this step by step "howto": 1-Install an ossec agent on your firewall (the one that does router and has iptables). 2- Configure this agent on the server as you did with the other agent. 3- Go to your ossec server and edit the ossec.conf file. In the active-response config, under "location" , change it from "local" to "defined-agent". In addition to that, add another element "<agent_id>" with the id of the agent that you just added in the firewall. If you forgot the id, just run the manage_agents tool and get it from there. Your config would be something like that (if the firewall has the id as 003): <active-response> <command>firewall-drop</command> <location>defined-agent</location> <agent_id>003</agent_id> <level>6</level> <timeout>600</timeout> </active-response> Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 8/8/06, Dimitri Yioulos <[EMAIL PROTECTED]> wrote:
Hello to all. First, congratulations to the development team on an exellent piece of software (recognized by SANS, no less)! It was easy to install, and tweaking to one's own specifications is straightforward. I very much look forward to future releases. Apologies if this is completely lame, but one tweak that I'd like some help on is firewalling. I have installed ossec-hids on a separate server, and added the agent piece to other server which mainly sit in a DMZ. I have iptables/router on yet another box that has been serving my organization admirabley (I'd also like to monitor this box with ossec-hids). What I'd like to do use the iptables/router box to be the recipient of ip addresses added to the deny list, rather than the ossec-hids server. I'm thinking that this should be possible, but don't know how to do it. Can someone help? Many thanks, and best wishes. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
