Hi,
I need some help about this one.
I have 3 systems in total:
- 1 Debian with ossec manager (v1.6.1)
- 1 FreeBSD with ossec agent
- 1 WinXP with ossec agent
When I test a bruteforce at one of the agents, active response does
it's work the way I want it: it blocks the attacker at both agents and
at the manager.
But: when I do an attack at the debian system, it blocks the attacker
at that system, but not at the agents.
This is a sample of my ossec.conf:
<active-response>
<command>host-deny</command>
<location>all</location>
<level>6</level>
<timeout>60</timeout>
</active-response>
<active-response>
<command>host-deny</command>
<location>server</location>
<level>6</level>
<timeout>60</timeout>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>all</location>
<level>6</level>
<timeout>60</timeout>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>server</location>
<level>6</level>
<timeout>60</timeout>
</active-response>
<active-response>
<command>win_nullroute</command>
<location>all</location>
<level>6</level>
<timeout>60</timeout>
</active-response>
<active-response>
<command>win_nullroute</command>
<location>server</location>
<level>6</level>
<timeout>60</timeout>
</active-response>
What do I do wrong?
Ty
