I don't see a problem with the config, it sounds like it's doing what you've configured it to do.
On Wed, Aug 1, 2012 at 3:56 PM, cmlara <[email protected]> wrote: > Hello All, > > I have setup a new server with OSSEC 2.6 on it running FreeBSD 9.0 64bit > > I have a single agent (ID: 001) running on a Linux node (Ubuntu 12.04 LTS > 32bit 3.4 kernel) > > I feed all my logs back via syslog to the central logging server that is the > same server urnning ossec. > > OSSEC is configured to monitor the log files > > > AR is setup with: > > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>server</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > Ok, so everything at level 6+ gets triggered above. Everything. > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>all</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > We don't get to this one, everything level 6+ is handled in the previous AR. > > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>defined_aget</location> > <agent_id>001</agent_id> > <level>6</level> > <timeout>600</timeout> > </active-response> > We don't worry about this one either, everything this one handles is taken care of in the first AR block. > > > I know the 'all' will not trigger on the server but it should trigger the > agent. That failed to work on the agent so i added the extra agent_id 001 > to be sure. > > Looking at the logs/active-responses.log on the server: > > Wed Aug 1 19:41:36 UTC 2012 > /usr/local/ossec-hids/active-response/bin/host-deny.sh add - 61.135.137.2 > 1343850096.1242729 5712 > Wed Aug 1 19:41:36 UTC 2012 > /usr/local/ossec-hids/active-response/bin/firewall-drop.sh add - > 61.135.137.2 1343850096.1242729 5712 > > (more entries below and above them) > > On the Agent N no log entires show up. The only log entires are where I > manually ran ./bin/agent_control to test server to agent communications > which does work: > > Wed Aug 1 16:53:19 UTC 2012 /var/ossec/active-response/bin/echoalert.sh add > - 9.9.9.9 (from_the_server) (no_rule_id) > Wed Aug 1 17:03:49 UTC 2012 /var/ossec/active-response/bin/echoalert.sh > delete - 9.9.9.9 (from_the_server) (no_rule_id) > > > Anyone have any idea why the action is triggering on the server but not on > the agents? > > This is basicaly I have a number of frontend servers who are publicly > exposed that do not have their own firewalls in front of them so each one > will need to firewall itself and should firewall based on the reports of > the other frontends. > Best Regards, > >
