On Wed, Oct 2, 2013 at 10:36 AM, FSoyer <[email protected]> wrote: > Oh so I probably missed something : OK for the rule but how do I setup a > response on all agents at the same time ? > Actually an active response block only on one host at a time. >
All active response configurations are done on the server (as long as AR is enabled on the agent). You can use the "all" location for an AR to be triggered on all agents. > Le mercredi 2 octobre 2013 15:05:14 UTC+2, dan (ddpbsd) a écrit : >> >> Yes. Write a rule looking for authentication failures from the same >> ip, and setup active response to block on all agents. >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
