On Fri, Sep 2, 2016 at 7:54 AM, C. L. Martinez <[email protected]> wrote: > On Fri 2.Sep'16 at 7:37:24 -0400, dan (ddp) wrote: >> On Fri, Sep 2, 2016 at 7:07 AM, C. L. Martinez <[email protected]> wrote: >> > Hi all, >> > >> > Is it posible to assign multiple agent_id for one active reponse only? >> > Example: >> > >> > <active-response> >> > <command>firewall-drop</command> >> > <location>defined-agent</location> >> > <agent_id>003,004</agent_id> >> > <level>7</level> >> > <timeout>86400</timeout> >> > <repeated_offenders>2880,4320,5760</repeated_offenders> >> > </active-response> >> > >> > Thanks. >> > >> >> Have you tried it? I can't remember for sure, but I feel like you can't. >> > > Well, I have inserted these lines in ossec.conf's sever manager and restart > it. There is no error in ossec.log. But, how can I test it? If it doesn't > works, could this config be ok? > > <active-response> > <command>firewall-drop</command> > <location>defined-agent</location> > <agent_id>003</agent_id> > <level>7</level> > <timeout>86400</timeout> > <repeated_offenders>2880,4320,5760</repeated_offenders> > </active-response> > > <active-response> > <command>firewall-drop</command> > <location>defined-agent</location> > <agent_id>004</agent_id> > <level>7</level> > <timeout>86400</timeout> > <repeated_offenders>2880,4320,5760</repeated_offenders> > </active-response>
I believe having multiple <active-responses> with the same command, but different agent_ids, should work. The surest way to find out is to trigger one of those events and make sure the IP is added to the blocklist. > -- > Greetings, > C. L. Martinez > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
