Hi Dimitri,

If I understood you correctly, you want to execute all the responses on your
firewall, right? If this is correct, follow this step by step "howto":

1-Install an ossec agent on your firewall (the one that does router
and has iptables).

2- Configure this agent on the server as you did with the other agent.

3- Go to your ossec server and edit the ossec.conf file. In the active-response
config, under "location" , change it from "local" to "defined-agent".
In addition
to that, add another element "<agent_id>" with the id of the agent that you just
added in the firewall. If you forgot the id, just run the manage_agents tool
and get it from there. Your config would be something like that (if the firewall
has the id as 003):

 <active-response>
   <command>firewall-drop</command>
   <location>defined-agent</location>
   <agent_id>003</agent_id>
   <level>6</level>
   <timeout>600</timeout>
 </active-response>

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

On 8/8/06, Dimitri Yioulos <[EMAIL PROTECTED]> wrote:

Hello to all.

First, congratulations to the development team on an exellent piece of
software (recognized by SANS, no less)!  It was easy to install, and
tweaking to one's own specifications is straightforward.  I very much
look forward to future releases.

Apologies if this is completely lame, but one tweak that I'd like some
help on is firewalling.  I have installed ossec-hids on a separate
server, and added the agent piece to other server which mainly sit in
a DMZ.  I have iptables/router on yet another box that has been
serving my organization admirabley (I'd also like to monitor this box
with ossec-hids).

What I'd like to do use the iptables/router box to be the recipient of
ip addresses added to the deny list, rather than the ossec-hids
server.  I'm thinking that this should be possible, but don't know
how to do it.  Can someone help?

Many thanks, and best wishes.

Dimitri

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


Reply via email to