Hi Xu Feng, The issue is that you have both "level" and "rules_id" in your config, so ossec is acting on both. Try leaving it just as:
<active-response> <command>host-deny</command> <location>local</location> <rules_id>5712,5720</rules_id> <timeout>600</timeout> </active-response> And it should work. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Dec 24, 2007 10:36 PM, xufeng <[EMAIL PROTECTED]> wrote: > > Hi Ossec Users, > > Recently I am using OSSEC HIDS, and I find OSSEC HIDS does not work > well when I try to control the active-response configuration. > > The Topology is OSSEC-Server <-> OSSEC-agent, and on the agent I > install apache 2.2.6. > > Active Response on the sever is achieved by hosts-deny. > > > > Configuration on the server is > > > > <active-response> > > <command>host-deny</command> > > <location>local</location> > > <level>6</level> > > <rules_id>5712,5720</rules_id> > > <timeout>600</timeout> > > </active-response> > > > > Configuration on the agent is > > > > <localfile> > > <log_format>syslog</log_format> > > <location>/usr/local/apache2.2.6/logs/access_log</location> > > </localfile> > > > > <localfile> > > <log_format>syslog</log_format> > > <location>/usr/local/apache2.2.6/logs/error_log</location> > > </localfile> > > > > The Problem is > > > > Though I defined the active-response on the server only being > triggered by rules (5712,5720) which are sshd rules, when multiple > errors from the same IP in the Apache logs turned up, the IP was > blocked by hosts.deny on the agent. > > > > Any idea to help me out? > > > > Thank you. > > > > Xu Feng > > From China >
