Ok. I'll do that. Thx for the clarification on the syntax Kr Dimitri Op 6-sep.-2013 17:18 schreef "dan (ddp)" <[email protected]> het volgende:
> On Thu, Sep 5, 2013 at 11:38 AM, <[email protected]> wrote: > > Dan, > > > > > > yes, that was the original config > > > > but then it will be executed on every agent that generates an even like > that > > > > i admit that the way these tags add up is pretty confusing to me > > > > so initially i had this: > > <active-response> > > <command>firewall-drop</command> > > <location>local</location> > > <agent_id>005, 006, 007, 011, 012</agent_id> > > > > > > > <rules_group>apache,web,appsec,attack,web,accesslog,web_scan,recon,invalid_access,automatic_attack</rules_group> > > <level>6</level> > > <timeout>600</timeout> > > </active-response> > > > > so what i wanted it to do was to block an offending ip that generated > > something on 1 host and on that host only. > > > > I'm not sure there's a way to do that. I'd personally separate servers > for agents with vastly different needs. With cheap virtualization and > hybrid installs it shouldn't be too difficult. > > > i wanted every alert that appears in the rulesgroups specified in > > <rules_group> to be blocked on the originating host but only for the > hosts > > that i specified in <agent_id> ( because i want to run ossec in for > > internal servers as well but i don't want it blocking other internal > servers > > , users ... whatever. i could do this with whitelists but the > documentation > > vaguely indicated that it would be possible with the code block above) > > > > so with the block above it ignored <agent_id>005, 006, 007, 011, > > 012</agent_id> and simply executed it on any host on which an event was > > generated and that was connected to ossec. > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wednesday, September 4, 2013 6:01:34 PM UTC+2, [email protected] wrote: > >> > >> > >> > >> on 1 of my servers i get an alert during testing detected by modsecurity > >> and forwarded to ossec , this alert comes from one of the test servers > and i > >> would expect that active response would be activated only on the server > that > >> underwent the action, however apparently this ip address was then > blocked on > >> all the servers , while only notifying in the alerts that it had > blocked > >> the ip for only 2 servers (all the client have the same configuration > >> distributed by agent.conf): > >> > >> ** Alert 1378301036.1249820: - apache,access_denied, > >> 2013 Sep 04 15:23:56 > >> > >> > >> Wed Sep 4 15:23:56 CEST 2013 > >> /var/ossec/active-response/bin/firewall-drop.sh add - 172.30.6.23 > >> 1378301036.1249820 30118 > >> > >> how is this possible > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
