Many Thanks Em terça-feira, 10 de dezembro de 2013 17h57min07s UTC-2, dan (ddpbsd) escreveu: > > On Tue, Dec 3, 2013 at 7:08 PM, Fernando Cardoso > <[email protected]<javascript:>> > wrote: > > Thanks Dan, > > > > So...Im doing it wrong =( > > > > All of my configuration related with active is response is working in > > agents, I read in some documentantion ( I dont remember when or what) > that > > active response options are available only server or local installation > so I > > installed the hybrid mode =\ > > > > The configuration is done on the server, but the agents generally run > the AR commands. > If you need more fine grained control, installing local/hybrid setups > may be the way to go. > > > Anyway..how can I configure my server to manage active responde in ossec > > agents?? > > In my mind this should work like this example: > > The client receive a ssh brute force > the client communicates with > server > > > the server triggers tcp wrappers in a client > > > > Right? > > > > That's pretty much how it works. Make sure AR is enabled on the > agents, configure it on the server. > > > > Currently all of my agents use active response with tcp wrappers locally > and > > just communicates with the server to register alerts and events. > > > > Best regards, > > Fernando C. > > > > Em terça-feira, 3 de dezembro de 2013 16h43min24s UTC-2, dan (ddpbsd) > > escreveu: > >> > >> On Tue, Dec 3, 2013 at 12:01 PM, Fernando Cardoso <[email protected]> > >> wrote: > >> > Hello, > >> > > >> > I have many agents installed with hybrid mode configuration. > >> > > >> > By default the startup "/etc/init.d/ossec start" only starts the > agent: > >> > /var/ossec/ossec-agent/bin/ossec-agentd > >> > /var/ossec/ossec-agent/bin/ossec-logcollector > >> > /var/ossec/ossec-agent/bin/ossec-syscheckd > >> > > >> > If I start ossec through "/var/ossec/bin/ossec-control start" works > >> > fine: > >> > 00:00:00 /var/ossec/ossec-agent/bin/ossec-agentd > >> > 00:00:00 /var/ossec/ossec-agent/bin/ossec-logcollector > >> > 00:00:00 /var/ossec/ossec-agent/bin/ossec-syscheckd > >> > 00:00:00 /var/ossec/bin/ossec-execd > >> > 00:00:00 /var/ossec/bin/ossec-analysisd > >> > 00:00:00 /var/ossec/bin/ossec-logcollector > >> > 00:00:00 /var/ossec/bin/ossec-syscheckd > >> > 00:00:00 /var/ossec/bin/ossec-monitord > >> > > >> > I use hybrid mode because I need the ossec-agent managed by server > and I > >> > need active-response local too. > >> > > >> > To solve this issue I need to change file /etc/ossec-init.conf > >> > (DIRECTORY). > >> > > >> > My doubts are: > >> > My installation Its OK? Why only agent is started by default? > >> > >> Probably an oversight. I'm not entirely sure how much testing went > >> into hybrid before it was included. > >> > >> > I really need the hybrid mode to active response? > >> > >> You do not need hybrid mode to use active response. If that's what you > >> thought, please point out the documentation that led you to believe > >> this so I can correct it. > >> > >> > Can I manage the active response through ossec-server? > >> > > >> > >> Active response is managed through the server. The only configuration > >> done on the agent is enabling or disabling it. > >> > >> > Many Thanks > >> > Fernando C > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
