On Tue, Dec 3, 2013 at 7:08 PM, Fernando Cardoso <[email protected]> wrote: > Thanks Dan, > > So...Im doing it wrong =( > > All of my configuration related with active is response is working in > agents, I read in some documentantion ( I dont remember when or what) that > active response options are available only server or local installation so I > installed the hybrid mode =\ >
The configuration is done on the server, but the agents generally run the AR commands. If you need more fine grained control, installing local/hybrid setups may be the way to go. > Anyway..how can I configure my server to manage active responde in ossec > agents?? > In my mind this should work like this example: > The client receive a ssh brute force > the client communicates with server > > the server triggers tcp wrappers in a client > > Right? > That's pretty much how it works. Make sure AR is enabled on the agents, configure it on the server. > Currently all of my agents use active response with tcp wrappers locally and > just communicates with the server to register alerts and events. > > Best regards, > Fernando C. > > Em terça-feira, 3 de dezembro de 2013 16h43min24s UTC-2, dan (ddpbsd) > escreveu: >> >> On Tue, Dec 3, 2013 at 12:01 PM, Fernando Cardoso <[email protected]> >> wrote: >> > Hello, >> > >> > I have many agents installed with hybrid mode configuration. >> > >> > By default the startup "/etc/init.d/ossec start" only starts the agent: >> > /var/ossec/ossec-agent/bin/ossec-agentd >> > /var/ossec/ossec-agent/bin/ossec-logcollector >> > /var/ossec/ossec-agent/bin/ossec-syscheckd >> > >> > If I start ossec through "/var/ossec/bin/ossec-control start" works >> > fine: >> > 00:00:00 /var/ossec/ossec-agent/bin/ossec-agentd >> > 00:00:00 /var/ossec/ossec-agent/bin/ossec-logcollector >> > 00:00:00 /var/ossec/ossec-agent/bin/ossec-syscheckd >> > 00:00:00 /var/ossec/bin/ossec-execd >> > 00:00:00 /var/ossec/bin/ossec-analysisd >> > 00:00:00 /var/ossec/bin/ossec-logcollector >> > 00:00:00 /var/ossec/bin/ossec-syscheckd >> > 00:00:00 /var/ossec/bin/ossec-monitord >> > >> > I use hybrid mode because I need the ossec-agent managed by server and I >> > need active-response local too. >> > >> > To solve this issue I need to change file /etc/ossec-init.conf >> > (DIRECTORY). >> > >> > My doubts are: >> > My installation Its OK? Why only agent is started by default? >> >> Probably an oversight. I'm not entirely sure how much testing went >> into hybrid before it was included. >> >> > I really need the hybrid mode to active response? >> >> You do not need hybrid mode to use active response. If that's what you >> thought, please point out the documentation that led you to believe >> this so I can correct it. >> >> > Can I manage the active response through ossec-server? >> > >> >> Active response is managed through the server. The only configuration >> done on the agent is enabling or disabling it. >> >> > Many Thanks >> > Fernando C >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
