On Thu, Sep 5, 2013 at 11:38 AM, <[email protected]> wrote: > Dan, > > > yes, that was the original config > > but then it will be executed on every agent that generates an even like that > > i admit that the way these tags add up is pretty confusing to me > > so initially i had this: > <active-response> > <command>firewall-drop</command> > <location>local</location> > <agent_id>005, 006, 007, 011, 012</agent_id> > > > <rules_group>apache,web,appsec,attack,web,accesslog,web_scan,recon,invalid_access,automatic_attack</rules_group> > <level>6</level> > <timeout>600</timeout> > </active-response> > > so what i wanted it to do was to block an offending ip that generated > something on 1 host and on that host only. >
I'm not sure there's a way to do that. I'd personally separate servers for agents with vastly different needs. With cheap virtualization and hybrid installs it shouldn't be too difficult. > i wanted every alert that appears in the rulesgroups specified in > <rules_group> to be blocked on the originating host but only for the hosts > that i specified in <agent_id> ( because i want to run ossec in for > internal servers as well but i don't want it blocking other internal servers > , users ... whatever. i could do this with whitelists but the documentation > vaguely indicated that it would be possible with the code block above) > > so with the block above it ignored <agent_id>005, 006, 007, 011, > 012</agent_id> and simply executed it on any host on which an event was > generated and that was connected to ossec. > > > > > > > > > > > > > > On Wednesday, September 4, 2013 6:01:34 PM UTC+2, [email protected] wrote: >> >> >> >> on 1 of my servers i get an alert during testing detected by modsecurity >> and forwarded to ossec , this alert comes from one of the test servers and i >> would expect that active response would be activated only on the server that >> underwent the action, however apparently this ip address was then blocked on >> all the servers , while only notifying in the alerts that it had blocked >> the ip for only 2 servers (all the client have the same configuration >> distributed by agent.conf): >> >> ** Alert 1378301036.1249820: - apache,access_denied, >> 2013 Sep 04 15:23:56 >> >> >> Wed Sep 4 15:23:56 CEST 2013 >> /var/ossec/active-response/bin/firewall-drop.sh add - 172.30.6.23 >> 1378301036.1249820 30118 >> >> how is this possible > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
