previous thread :
http://groups.google.com/group/ossec-list/browse_thread/thread/340a6367b024c11a/b384ac2f1d514ced?lnk=gst&q=%22%3Clocation%3Eall%22
So I configured the active-response like this, to have the AR enable
on both ALL agents and the server (because when you configure only
<location>all</location> it won't block on the server.
<!-- Active Response Config -->
<active-response>
<command>firewall-drop</command>
<location>all</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>server</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
The problem is, when an attack occur on the server, it will just block
on the server, not on the agents, if an attack occur on one agent, it
will block on the server and on all the agent.
