On Thu, Sep 16, 2010 at 3:37 PM, dan (ddp) <[email protected]> wrote: > On Wed, Sep 15, 2010 at 6:38 PM, Kacper Wysocki <[email protected]> wrote: >> I have several agents with dynamic addresses (laptops mostly) >> Any way to make OSSEC report the IP address that agent responds on? >> > > Not that I'm aware of, the emails sent out are pretty static. I guess > you could edit the source to do this, but that seems clunky to me. > I set the agent name of each system to the hostname of that system, to > make things easier for me. Not sure if that would work for you though.
I'm already setting up my agents by hostname, but getting the actual IP is interesting because "dial-home" in case of theft is another thing ossec would then do. Maybe not quite within scope but theft sure does fall under the banner of "intrusion". I suppose I could set up a rule to check the IP but it's more useful to have the server report the actual IP and not a NAT'ed private ip. editing the source: sure, anyone point me the right way around the code? -- http://kacper.doesntexist.org http://windows.dontexist.com Employ no technique to gain supreme enlightment. - Mar pa Chos kyi blos gros
