Hi Ossec Users,
Recently I am using OSSEC HIDS, and I find OSSEC HIDS does not work
well when I try to control the active-response configuration.
The Topology is OSSEC-Server <-> OSSEC-agent, and on the agent I
install apache 2.2.6.
Active Response on the sever is achieved by hosts-deny.
Configuration on the server is
<active-response>
<command>host-deny</command>
<location>local</location>
<level>6</level>
<rules_id>5712,5720</rules_id>
<timeout>600</timeout>
</active-response>
Configuration on the agent is
<localfile>
<log_format>syslog</log_format>
<location>/usr/local/apache2.2.6/logs/access_log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/usr/local/apache2.2.6/logs/error_log</location>
</localfile>
The Problem is
Though I defined the active-response on the server only being
triggered by rules (5712,5720) which are sshd rules, when multiple
errors from the same IP in the Apache logs turned up, the IP was
blocked by hosts.deny on the agent.
Any idea to help me out?
Thank you.
Xu Feng
>From China
