Hi list, I was unable to find an answer to this question in the posts. But it seems strange to me that no one had this need, so sorry if this has been discussed before. I've a server-agent architecture (say : one server, 20 agents). Is there a way to detect a scan, for example based on multiple login attempts failed from same IP on some (or all) agents, but instead of blocking individually, sequentially, the hacker's ip on each agent when the scan is detected, configure the server to say "block this IP on ALL agents if it has been detected as a scan attempt on at least 2 (or 3) agents" ? Hope this is clear :)
Thanx Frank -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
