Hi
we are running ossec 2.7.1, i test active reponse it was working well with one
agent activated.
I try to run 2 agent then i see that we can't used the comma, so i test like
this:
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>069</agent_id>
<rules_id>11451,117106,31510,5503,5712</rules_id>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>071</agent_id>
<rules_id>11451,117106,31510</rules_id>
<timeout>60</timeout>
</active-response>
Since that it doesn't work anymore, even if i come backwards on the
configuration
or with all, in the location section or with only one agent.
it is because i attack from only one ip address ? where it is stored ?
how can i debug ?
it is completely annonying to find verbose information or an issue.
So sad that i was about to put it in production.
Thanks for all
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
