Hi, first of all, I apologize if this topic has already been covered, but I cannot find any informations.
Here is my situation ; I run a bunch of servers (lets call them Farms) behind an AWS Elastic Load Balancer, which have the side effect of modifying the originating source adress in the ip packet. Instead, the original IP is added to an X-FORWARDED-FOR HTTP header. At the moment, my web application is logging the load balancer ip, and not the original ip. I also have other agents exposed to the internet, in a more regular setup. Obviously, when active response is triggered on one of Farm, it blocks the internal ip address of the load balancer, blocking all incoming traffic for a while (the load balancers will eventually change their internal ip, so it do not last long) What I will do is the following ; the application logs will output the original ip address (easy), ossec will be aware of that, and will block it on the corresponding agent. However, since it will trigger a firewall rules, it will have no effects on tcp trames, has they will continue to appears to come from the load balancers. Instead, I will populate a file with banned IP with a custom active-response (let's call it AR0), then my http server firewall will read the X-FORWARDED-FOR header, and return 403 (or timeout, whatever) if that HTTP request comes from a forbidden IP. So what, isn't everything nice now ? Actually no : since hosts are behind a load balancer, the next HTTP request coming from a blocked IP might be forwarded to another server, which is not aware that this IP should be blocked ; this setup is useless. When AR0 is triggered on one server of Farm, AR0 should be propagated to all the other server of Farms. Basically, I would like to write my active-response something like <active-response> <command>AR0</command> <location>agentA, agentB, agentC</location> [...]</active-response> What are my best options to propagate an active response to a group of agents ? I could use <location>all</location>, but this seems a bit overkill ; the active response command will need to determine whether or not it is runned on the right target. Please let me know if you need extra informations, or if I did not made myself clear. Related link : http://blog.swwomm.com/20 <http://blog.swwomm.com/2015/05/blocking-attacks-on-apache-behind-load.html> 15/05/blocking-attacks-on-apache-behind-load.html <http://blog.swwomm.com/2015/05/blocking-attacks-on-apache-behind-load.html> (but it does not care of active response propagation) Arthur. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
