no, that not what i mean it did block on all systems but it should only have blocked on the 1 system on which the scan was performed.
i scan 1 system and it blocks on all systems On Thursday, September 5, 2013 3:31:24 PM UTC+2, dan (ddpbsd) wrote: > > On Thu, Sep 5, 2013 at 3:38 AM, <[email protected] <javascript:>> wrote: > > what i basically want is that a firewall drop is executed on the host > that > > originates the alert and if the alert is part of defined groups and > level 6 > > or higher. > > > > initially i had 1 active response block with all agents seperated by > comma's > > in the <agent_id> field , initially this worked but after recompiling > for > > geoip this gave errors on the server. now it is configured as you see > below > > > > Ok, so it did block on all of the systems correctly? > You just didn't get alerts that these blocks were put in place? Are > you sure active-response.log or whatever it being monitored on all of > the agents? > > > > > <command> > > <name>firewall-drop</name> > > <executable>firewall-drop.sh</executable> > > <expect>srcip</expect> > > <timeout_allowed>yes</timeout_allowed> > > </command> > > > > > > > > <active-response> > > <command>firewall-drop</command> > > <location>defined-agent</location> > > <agent_id>005</agent_id> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
