Hello together,
we use OSSEC as server/agent on SLES9 (OSSEC-server) and Debian Servers
(OSSEC-agent). We want to react on unautherized access/connections at
the agent side. The secure connection between the agent and the server
is established. The agent sends data to the server. The server and the
agent are correct installed as server and agent.
We have the problem, that the agent or the server doesn't react by
active response.
In the OSSEC-logfile on the agent-side we can't find any recognition.
If we change the location in the server-configuration to local and we
attack the agent, the server locks our connections for the configured
time but the agent doesn't react!
We use OSSEC Version 1.5.
Where is the problem?
Here is the server-configuration:
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- We act on this IDs:
11251-53: proftp
11451,52: vsftp
5701,5703,5705,5710,5712,5719,5720: ssh
30114: apache
31151-54,31161: webrules
5631: telnet
5551: pam
40601: attack
-->
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>002</agent_id>
<rules_id>5701,5703,5705,5710,5712,5719,5720,40601</rules_id>
<timeout>300</timeout>
</active-response>
Could anybody help us?
Thanks a lot.
Joachim Krais
