On Thu, Nov 4, 2010 at 12:57 PM, Chad Robertson <[email protected]> wrote: > I have a problem getting active response to work between systems. I will > paste the tcpdumps from both the server and the client when triggering a AR > rule. > > > > 08:32:58.458874 IP (tos 0x0, ttl 63, id 17222, offset 0, flags [DF], proto > UDP (17), length 165) client1.42292 > server1.1514: UDP, length 137 > > 08:33:08.204204 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP > (17), length 77) server1.syslog > client1.syslog: [udp sum ok] SYSLOG, > length: 49 > > 08:33:08.206321 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP > (17), length 109) server1.syslog > client1.syslog: SYSLOG, length: 81 > > > > And on the client: > > > > 07:30:27.865707 IP (tos 0x0, ttl 64, id 17222, offset 0, flags [DF], proto > UDP (17), length 165) > > 07:30:37.610266 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP > (17), length 77) > > 07:30:37.612503 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP > (17), length 109) > > > > The server then throws the ar response: > > > > Thu Nov 4 08:33:08 EDT 2010 /var/ossec/active-response/bin/host-deny.sh add > – x.x.x.x 1288873988.634831 100055 > > > > But I don’t see any network activity as a result.
Is the AR firing on the agent?
