On Tue, Jun 30, 2015 at 3:14 PM, Jeff Blaine <[email protected]> wrote: > On Tuesday, June 30, 2015 at 5:27:58 AM UTC-4, [email protected] wrote: >> >> i see it like a feature, and it works like a cluster of information. >> We discover it on in very bad case! > > > It's a feature and a design flaw, IMO. > > The feature part is as you described. > > The design flaw is that Active Response doesn't allow one to generically > "act only on the host where the problem was found". In the case of, for > example, one host's /var/www/html directory contents changes (syscheck sees > a new file added), an action should be able to be configured (generically) > to act only on that host. Perhaps send the file to an alert team. >
We enjoy receiving patches for new features in the form of pull requests to the github repo: https://github.com/ossec/ossec-hids >> >> when an ip is triggering an alert, all the servers block this ip. >> >> It protects more the datacenter, but it could really go wrong >> >> and the second problem is if you put a lot of servers/ rules in AR you >> could have performance problem >> with a thousands of ip blocked each seconds. >> >> >> >> ----- Mail original ----- >> De: "Jeff Blaine" <[email protected]> >> À: [email protected] >> Envoyé: Vendredi 26 Juin 2015 18:22:46 >> Objet: [ossec-list] AR command executing when it should not be >> >> When rule 550 or 554 is hit with ANY agent as the source, the command >> below is executing on agent 19. >> >> As I understand AR, the command should only be executing on agent 19 when >> rule 550 or 554 is hit *with agent 19 as the origin* >> >> Is this a bug or a misunderstanding on my part somewhere? >> >> Config piece: >> >> <active-response> >> <command>test-it</command> >> <location>defined-agent</location> >> <agent_id>019</agent_id> >> <rules_id>550,554</rules_id> >> </active-response> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
