Dan, Upon reading the OSSEC book again it appears to confirm my suspicion that "all" means "all" agents.
So, how do you include the server as well? I tried <location>server,all</location> as someone else's post suggested but it doesn't work. The active response seems to work only on the server if I attack an agent. I also tried creating two identical active response blocks except that the location for one is "all" while the location for the other is "server". In that case, the active response seemed to work on the server but on only some of the agents. So, I am still left with the same question: how do I get the active response to work on both the server and all agents? Ideas? Trevor On May 7, 12:14 pm, tm <[email protected]> wrote: > Dan, > > Some more testing reveals the following: if I change the location to > "server" and then attack an agent, the firewall drops on the server > and /etc/hosts.deny file is modified on the server. > > So, there seem to be two problems revealed here: > > 1. "all" doesn't mean "all". It appears to mean only the agents > > 2. an attack on the server itself produces no active response at all > regardless of "all" or "server" > > Ideas? > > Trevor > > On May 7, 8:40 am, tm <[email protected]> wrote: > > > > > Dan, > > > There is nothing in the logs. > > > The scripts on the server are in place and executable. I can run > > firewall-drop.sh on the server from the command line with the correct > > arguments and it works. > > > The symptoms are still the same: simulating an attack on one of the > > OSSEC agent hosts results in the firewall being dropped and /etc/ > > hosts.deny being modified on all hosts except the one running the > > OSSEC server. > > > Further: today I simulated an attack on the OSSEC server itself. An > > alert was generated (5712, severity 10) but there was no active > > response of any kind on the OSSEC server or any of the OSSEC agents. > > > Trevor > > > On May 6, 2:47 pm, "dan (ddp)" <[email protected]> wrote: > > > > Anything in the logs? Maybe /var/ossec/logs/ossec.log? > > > Are the scripts in place and executable? > > > Have you tried running one of the scripts to see if it works on that > > > system? > > > > On Thu, May 6, 2010 at 4:20 PM, tm <[email protected]> wrote: > > > > Hello, > > > > > I have the location set to "all" in the firewall-drop and host-deny > > > > active responses in the ossec.conf file on the OSSEC server. If I > > > > simulate an attack on one of the OSSEC agent hosts, both responses are > > > > working on all the OSSEC agents but not on the OSSEC server. > > > > > Any ideas? > > > > > Thanks, > > > > Trevor- Hide quoted text - > > > > - Show quoted text -- Hide quoted text - > > > - Show quoted text -- Hide quoted text - > > - Show quoted text -
