Hi Martin, On Fri, Apr 22, 2011 at 5:08 PM, Martin Gottlieb <[email protected]> wrote: > > Shouldn't this block from the config on the OSSEC server: > > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>as</location> > <level>6</level> > <timeout>3600</timeout> > </active-response> > > cause the firewall drop script to be run on the server for any event that is > level 6 or higher, regardless of > which agent it came from? That's all I'm trying to accomplish, I don't need > anything to run on the Windows > agent if I can get the firewall drop script to run on the server. > > Thanks. > > Martin >
Oh, I get it now. Your <location> field looks wrong. It should be <location>server</location> http://www.ossec.net/doc/syntax/head_ossec_config.active-responce.html#element-active-response.location > On 4/22/2011 4:58 PM, dan (ddp) wrote: > > Hi Martin, > > On Fri, Apr 22, 2011 at 4:37 PM, Martin Gottlieb <[email protected]> > wrote: > > I guess what I'm trying to understand is this: > > When an event is triggered from a Linux agent, the firewall drop script is > run on the > OSSEC server (in addition to the hosts deny script being called on the > agent). I don't recall > doing anything special to make this happen when I installed OSSEC, I assume > it is part of > the default behavior. > > The default actions (if I'm reading > https://bitbucket.org/dcid/ossec-hids/src/4908b28513b0/etc/ossec-server.conf > correctly) is that the script is run on the system where the log > message originated. > Unless you changed the configurations the scripts shouldn't be running > on both the server and the agents. > > When an event is triggered on a Windows agent, the firewall drop script is > NOT called on the server, > but I would like it to be. I would like the default behavior on Windows > agents to be the same > as Linux agents, at least as far as what happens on the OSSEC server. The > Windows agent is > obviously reporting the event to the server as it logs it and reports it to > me. > > Am I understanding the responses so far to mean that I have to write a > script to make this > happen, and that the script needs to reside on the Windows agent? > > Thanks again. > > Martin > > The script would have to reside on all of the systems you want it to > run on. Having it run on both Windows and Linux systems may be > difficult. > >
