I have a problem getting active response to work between systems. I will paste the tcpdumps from both the server and the client when triggering a AR rule.
08:32:58.458874 IP (tos 0x0, ttl 63, id 17222, offset 0, flags [DF], proto UDP (17), length 165) client1.42292 > server1.1514: UDP, length 137 08:33:08.204204 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 77) server1.syslog > client1.syslog: [udp sum ok] SYSLOG, length: 49 08:33:08.206321 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 109) server1.syslog > client1.syslog: SYSLOG, length: 81 And on the client: 07:30:27.865707 IP (tos 0x0, ttl 64, id 17222, offset 0, flags [DF], proto UDP (17), length 165) 07:30:37.610266 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 77) 07:30:37.612503 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 109) The server then throws the ar response: Thu Nov 4 08:33:08 EDT 2010 /var/ossec/active-response/bin/host-deny.sh add – x.x.x.x 1288873988.634831 100055 But I don’t see any network activity as a result.
