On Wed, Sep 4, 2013 at 12:01 PM, <[email protected]> wrote: > > > on 1 of my servers i get an alert during testing detected by modsecurity and > forwarded to ossec , this alert comes from one of the test servers and i > would expect that active response would be activated only on the server that > underwent the action, however apparently this ip address was then blocked on > all the servers , while only notifying in the alerts that it had blocked > the ip for only 2 servers (all the client have the same configuration > distributed by agent.conf): > > ** Alert 1378301036.1249820: - apache,access_denied, > 2013 Sep 04 15:23:56 > > > Wed Sep 4 15:23:56 CEST 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - 172.30.6.23 > 1378301036.1249820 30118 > > how is this possible >
How is AR configured? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
