On Thu, Nov 8, 2012 at 3:39 PM, CTech <[email protected]> wrote: > I have ossec agents running on several machines, but only one of them > ("agent 001") is set in the server's ossec.config to allow active response. > The <active-response> section in my server's ossec.config is pasted at the > bottom of this message, since someone is sure to ask for it otherwise. > > This appeared to have been working fine. However, recently "agent 001" began > blocking traffic from "agent 002." I was able to quickly resolve this by > adding a <white_list> entry. When I started looking at logs to find out > exactly what rule "agent 002" had triggered, I found that "agent 002" was > nowhere in ossec's alert or active-response logs as a source IP sending > traffic to "agent 001." Where "agent 002" did appear in the logs, having > triggered an alert, it was because a problem in apache on that server had > caused it to appear to be attacking itself, triggering a level 6 rule > multiple times. > > So here is my question: Am I missing something, or is active response, > although firing only on "agent 001," responding to alerts generated on > "agent 002"? Having "agent 002" whitelisted should prevent today's problem, > but I don't want iptables on "agent 001" blocking addresses that don't need > to be blocked. I will greatly appreciate any clarity you can offer. > > <active-response> > <disabled>no</disabled> > <command>firewall-drop</command> > <location>defined-agent</location> > <agent_id>001</agent_id> > <level>6</level> > <timeout>600</timeout> > </active-response>
agent001 could very well be adding blocks based on alerts from agent002.
