On Sat, Apr 13, 2013 at 12:08 AM, William Taylor <[email protected]> wrote: > I'm trying to figure out how to have a response to a rule fired off on > multiple agents correctly. > It appears to work but the responses are some minutes apart to agents. >
So all of the blocks happen, just not simultaneously? > agent1: Fri Apr 12 20:47:56 PDT 2013 > /opt/ossec/active-response/bin/ip-set.sh add - 109.71.8.251 > 1365824876.50114420 31510 > agent1: Fri Apr 12 20:59:28 PDT 2013 > /opt/ossec/active-response/bin/ip-set.sh add - 199.217.115.189 > 1365825568.52334547 31510 > > agent2: Fri Apr 12 20:46:16 PDT 2013 > /opt/ossec/active-response/bin/ip-set.sh add - 109.71.8.251 > 1365824776.49780433 31510 > agent2: Fri Apr 12 20:52:54 PDT 2013 > /opt/ossec/active-response/bin/ip-set.sh add - 199.217.115.189 > 1365825174.51119756 31510 > > > I also tried specifying agent_id a comma separated list but that doesn't > work. > > <active-response> > <disabled>no</disabled> > <command>ipset</command> > <location>defined-agent</location> > <agent_id>001</agent_id> > <timeout>900</timeout> > <rules_id>31510</rules_id> > </active-response> > > <active-response> > <disabled>no</disabled> > <command>ipset</command> > <location>defined-agent</location> > <agent_id>002</agent_id> > <timeout>900</timeout> > <rules_id>31510</rules_id> > </active-response> > > Also whats the best way to update to a newer rule set? Upgrade OSSEC. We don't have separate rules releases yet. > I tried updating my whole install as shown here: > http://intellavis.com/blog/?p=257 > But it seemed buggy and things weren't working quite right so I reverted. > > I would like the newer rules though. > > Thanks > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
