C.L., Did you not get the option to enable active response when you installed OSSEC in its server configuration? Also, what type of agents are you trying to activate for - Windows or Linux?
This should be in your config:
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
--
Michael D. Wood
ITSecurityPros.org
www.itsecuritypros.org
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of C. L. Martinez
Sent: Monday, August 27, 2012 1:57 PM
To: [email protected]
Subject: Re: [ossec-list] Question about active response
On Mon, Aug 27, 2012 at 5:55 PM, dan (ddp) <[email protected]> wrote:
> On Mon, Aug 27, 2012 at 1:45 PM, C. L. Martinez <[email protected]>
> wrote:
>> Hi all,
>>
>> Active response needs to be configured in server an agent to work??
>> I am trying to activate for agents only, but doesn't seems to work ...
>> Do I need to configure in ossec.conf's server config file, in
>> agent.conf file or in both sides??
>>
>> Thanks.
>
> Active response needs to be enabled on both the server and the agents.
> You do not need to configure an active response to run on the server,
> so it's almost like having it disabled on the server.
Then, configuring only a command option on server side works??
smime.p7s
Description: S/MIME cryptographic signature
