On Thu, Sep 5, 2013 at 9:57 AM, <[email protected]> wrote: > no, that not what i mean > > it did block on all systems but it should only have blocked on the 1 system > on which the scan was performed. > > i scan 1 system and it blocks on all systems >
But that's not what you've configured. You probably want to use the local location: http://ossec.net/doc/syntax/head_ossec_config.active-response.html#element-location > > > On Thursday, September 5, 2013 3:31:24 PM UTC+2, dan (ddpbsd) wrote: >> >> On Thu, Sep 5, 2013 at 3:38 AM, <[email protected]> wrote: >> > what i basically want is that a firewall drop is executed on the host >> > that >> > originates the alert and if the alert is part of defined groups and >> > level 6 >> > or higher. >> > >> > initially i had 1 active response block with all agents seperated by >> > comma's >> > in the <agent_id> field , initially this worked but after recompiling >> > for >> > geoip this gave errors on the server. now it is configured as you see >> > below >> > >> >> Ok, so it did block on all of the systems correctly? >> You just didn't get alerts that these blocks were put in place? Are >> you sure active-response.log or whatever it being monitored on all of >> the agents? >> >> > >> > <command> >> > <name>firewall-drop</name> >> > <executable>firewall-drop.sh</executable> >> > <expect>srcip</expect> >> > <timeout_allowed>yes</timeout_allowed> >> > </command> >> > >> > >> > >> > <active-response> >> > <command>firewall-drop</command> >> > <location>defined-agent</location> >> > <agent_id>005</agent_id> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
