-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is another interesting problem; however, in my testing, only one rule was used... seems like the active response comes with various undocumented hiccups.
The funny thing is, that upon further testing the 'all' command did start hitting everything but the server. A second rule is then required for the server, and, as shown below, might not necessarily activate (although in my testing it has been working, for now, with such 2 rules). Thanks to everyone for their responses, hopefully everything will start working correctly soon... [EMAIL PROTECTED] wrote: > Nikita: > > One thing that I have noticed is that it doesn't seem to match two > rules--example: > > <active-response> > <command>host-deny</command> > <location>all</location> > <level>10</level> > <timeout>600</timeout> > </active-response> > > <active-response> > <command>host-deny</command> > <location>local</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > It seems that only one of the rules gets fired: always seems to be the > last one defined in the ossec.conf file, but I can't determine which > one for sure. Anyway I've only seen it fire one at a time, not both > as you'd expect if you get, say a level 13 event. This is the same > behavior I've noticed for email alerts. Can anyone else confirm > this? It'd be nice to have it respond on multiple levels like this, > especially for granular email alerting. So that the same rule but > with different email addresses based on event level can both be fired. > > I figured this out when I triggered a level 13 with the above two > rules active, and only the level 6 one fired. Then I noticed that the > email alerting rules was doing the same thing. > > It's entirely possible I have something screwed up. > Emil > > > On Jun 18, 9:14 am, Nikita Byalsky <[EMAIL PROTECTED]> wrote: > Hello all, > > I have been testing OSSEC active response recently and my results > indicate that using the 'all' location in an active response rule worked > fine in v 1.4, but works as 'local' in 1.5 (ie, it only works on the > machine that generated the alert and not across all machines). > > Any thoughts on this? I'm very curious to see if this is a bug or a > misconfiguration on my part (although I have double-checked that my > rules and commands do not have errors, and they work perfectly using > defined-agent and server). > > Thanks for your time, > - -- Nikita Byalsky Information Security and Unix Systems University of Pennsylvania School of Arts and Sciences 3600 Market St., Suite 501 Philadelphia, PA 19104 215.573.8772 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFIX5gUbHfl5jKHKasRAqqXAJ9N00BasJDG7a/h5vVrKp7+fbpsuwCeLljD bFgGxBpRdY8AVGb4kLpvDww= =A9JP -----END PGP SIGNATURE-----
