[ossec-list] Re: alerts from one server used to execute ar on all servers

Thu, 05 Sep 2013 09:30:12 -0700 

Dan,


yes, that was the original config

but then it will be executed on every agent that generates an even like that

i admit that the way these tags add up is pretty confusing to me

so initially i had this:  
<active-response>
    <command>firewall-drop</command>
    <location>local</location>
    <agent_id>005, 006, 007, 011, 012</agent_id>
    
<rules_group>apache,web,appsec,attack,web,accesslog,web_scan,recon,invalid_access,automatic_attack</rules_group>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>

so what i wanted it to do was to block an offending ip that generated 
something on 1 host and on that host only.

i wanted every alert that appears in the rulesgroups specified in 
<rules_group> to be blocked on the originating host but only for the hosts 
that i specified in <agent_id>  ( because i want to run ossec in for 
internal servers as well but i don't want it blocking other internal 
servers , users ... whatever. i could do this with whitelists but the 
documentation vaguely indicated that it would be possible with the code 
block above)

so with the block above it ignored <agent_id>005, 006, 007, 011, 
012</agent_id> and simply executed it on any host  on which an event was 
generated and that was connected to ossec.





  






On Wednesday, September 4, 2013 6:01:34 PM UTC+2, [email protected] wrote:
>
>
>
> on 1 of my servers i get an alert during testing detected by modsecurity 
> and forwarded to ossec , this alert comes from one of the test servers and 
> i would expect that active response would be activated only on the server 
> that underwent the action, however apparently this ip address was then 
> blocked on all the servers , while only notifying in  the alerts that it 
> had blocked the ip for only 2 servers (all the client have the same 
> configuration distributed by agent.conf):
>
> ** Alert 1378301036.1249820: - apache,access_denied,
> 2013 Sep 04 15:23:56 
>
>
> Wed Sep  4 15:23:56 CEST 2013 
> /var/ossec/active-response/bin/firewall-drop.sh add - 172.30.6.23 
> 1378301036.1249820 30118
>
> how is this possible
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to