Hello, I have a test environment consisting of three hosts with OSSEC (agent) installed (Linux, XP professional and a Mac) and one host with OSSEC (server) installed (Linux). The three hosts are configured to send their events to the server.
This environment has a completely stock environment, ie., none of the configuration files, rules or scripts have been changed. Everything works well except for the active response on the agents. It works fine on the server. If I run something like Bruter to pound away at the agents using ssh, neither the hosts.deny or firewall on the agents are automatically configured by the server to block the ip address of the host running Bruter. If I run agent_control on the server, it shows all the agents as active. If I run agent_control on the server and specify integrity/rootkit checking on a particular agent, it runs on the agent. All that doesn't work is the active response on the agents. Any ideas? Trevor McLeod
