Thanks for the answer
just finish my debug today.
I test with three agent, my problem was:
one agent has a different configuration with
<disabled>yes</disabled> (maybe it is time for glasses ;)
second problem, maybe a restart
and the agent_id with comma doesn't work.
so now it is working with "all" in <location> or like this for two or more
agent:
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>069</agent_id>
<rules_id>11451,117106,31510,5503,5712</rules_id>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>071</agent_id>
<rules_id>11451,117106,31510</rules_id>
</active-response>
But i discover that it blocked:
* on "all" agents with "all" in "<location>" options
* or with several agent_id in several individual "<location>".
I hope we can go for commercial support anytime in the future
maybe my answer could help someone
----- Mail original -----
De: "dan (ddp)" <[email protected]>
À: [email protected]
Envoyé: Mercredi 26 Février 2014 14:01:41
Objet: Re: [ossec-list] Ossec active-response
On Thu, Feb 20, 2014 at 4:45 AM, Александр Чалый <[email protected]> wrote:
> Hello!
>
> I have tried to implement OSSEC HIDS system in my network. And everything
> about notification is ok. But active-response rules dont't do.
>
> As I see some Alert in alert.log after that I expect action, but no actions
> (((.
>
> Can you help me?
>
Maybe.
Is Active Response (AR) enabled? On both the OSSEC server and agent?
Is ossec-execd running on the agent?
Are you sure the agent should be running an AR script based on that alert?
Are you sure the correct information is being passed to the agent in
order to actually run the AR script?
How do you know it isn't working?
> Regards,
>
> Alexander Chaliy
> mobile: +38 097 102 45 83
> mail: [email protected]
> skype: achaliy
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
