Dan, Some more testing reveals the following: if I change the location to "server" and then attack an agent, the firewall drops on the server and /etc/hosts.deny file is modified on the server.
So, there seem to be two problems revealed here: 1. "all" doesn't mean "all". It appears to mean only the agents 2. an attack on the server itself produces no active response at all regardless of "all" or "server" Ideas? Trevor On May 7, 8:40 am, tm <[email protected]> wrote: > Dan, > > There is nothing in the logs. > > The scripts on the server are in place and executable. I can run > firewall-drop.sh on the server from the command line with the correct > arguments and it works. > > The symptoms are still the same: simulating an attack on one of the > OSSEC agent hosts results in the firewall being dropped and /etc/ > hosts.deny being modified on all hosts except the one running the > OSSEC server. > > Further: today I simulated an attack on the OSSEC server itself. An > alert was generated (5712, severity 10) but there was no active > response of any kind on the OSSEC server or any of the OSSEC agents. > > Trevor > > On May 6, 2:47 pm, "dan (ddp)" <[email protected]> wrote: > > > > > Anything in the logs? Maybe /var/ossec/logs/ossec.log? > > Are the scripts in place and executable? > > Have you tried running one of the scripts to see if it works on that system? > > > On Thu, May 6, 2010 at 4:20 PM, tm <[email protected]> wrote: > > > Hello, > > > > I have the location set to "all" in the firewall-drop and host-deny > > > active responses in the ossec.conf file on the OSSEC server. If I > > > simulate an attack on one of the OSSEC agent hosts, both responses are > > > working on all the OSSEC agents but not on the OSSEC server. > > > > Any ideas? > > > > Thanks, > > > Trevor- Hide quoted text - > > > - Show quoted text -- Hide quoted text - > > - Show quoted text -
