i saw it right now , the server add the attacker ip to the local iptables ! not to the agent .
but i think after reaad of the manual that <location>local</location> means response an agent ! http://www.ossec.net/main/manual/manual-active-responses/ a bug ? a missunderstanding ? a missconfiguration ? holger my config : <active-response> <!-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). --> <command>firewall-drop</command> <location>local</location> <level>6</level> <timeout>600</timeout> </active-response>
