Hi Joachim, Your configuration seems fine, so it should be working. Can you show us the alert that you expected the active response to run (from /var/ossec/logs/alerts.log )? Also, can you show the file /var/ossec/logs/active-response.log from the agent?
*Note that the timeout is set to 300 seconds, so after 5 minutes, the entry will be removed from the agent's firewall. **You said that when you changed to "local" and attacked the agent, that the server blocked your access. Are you sure about that? When you set to "local", ossec will block in the agent that reported the alert. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Jun 9, 2008 at 3:14 AM, Joachim Krais <[EMAIL PROTECTED]> wrote: > > > Hello together, > > we use OSSEC as server/agent on SLES9 (OSSEC-server) and Debian Servers > (OSSEC-agent). We want to react on unautherized access/connections at > the agent side. The secure connection between the agent and the server > is established. The agent sends data to the server. The server and the > agent are correct installed as server and agent. > > We have the problem, that the agent or the server doesn't react by > active response. > In the OSSEC-logfile on the agent-side we can't find any recognition. > If we change the location in the server-configuration to local and we > attack the agent, the server locks our connections for the configured > time but the agent doesn't react! > > We use OSSEC Version 1.5. > Where is the problem? > Here is the server-configuration: > > <command> > <name>firewall-drop</name> > <executable>firewall-drop.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > > <!-- We act on this IDs: > 11251-53: proftp > 11451,52: vsftp > 5701,5703,5705,5710,5712,5719,5720: ssh > 30114: apache > 31151-54,31161: webrules > 5631: telnet > 5551: pam > 40601: attack > --> > > > <active-response> > <command>firewall-drop</command> > <location>defined-agent</location> > <agent_id>002</agent_id> > <rules_id>5701,5703,5705,5710,5712,5719,5720,40601</rules_id> > <timeout>300</timeout> > </active-response> > > > Could anybody help us? > Thanks a lot. > > Joachim Krais >
