hi
<agent_id>003,004</agent_id> doesn't work
but each section separetely is working
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>067</agent_id>
<timeout>864000</timeout>
<rules_id>117154,31510,117159,117162</rules_id>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>038</agent_id>
<timeout>864000</timeout>
<rules_id>117154,31510,117159,117162</rules_id>
</active-response>
be carefull with that case
https://github.com/ossec/ossec-hids/issues/701
if you have a lot of attacks the script can't be fast enough (i have the
case with a chinese dns pointing one of our server by error)
cheers
Le 2016-09-02 15:40, dan (ddp) a écrit :
On Fri, Sep 2, 2016 at 7:54 AM, C. L. Martinez <[email protected]>
wrote:
On Fri 2.Sep'16 at 7:37:24 -0400, dan (ddp) wrote:
On Fri, Sep 2, 2016 at 7:07 AM, C. L. Martinez <[email protected]>
wrote:
> Hi all,
>
> Is it posible to assign multiple agent_id for one active reponse only?
Example:
>
> <active-response>
> <command>firewall-drop</command>
> <location>defined-agent</location>
> <agent_id>003,004</agent_id>
> <level>7</level>
> <timeout>86400</timeout>
> <repeated_offenders>2880,4320,5760</repeated_offenders>
> </active-response>
>
> Thanks.
>
Have you tried it? I can't remember for sure, but I feel like you
can't.
Well, I have inserted these lines in ossec.conf's sever manager and
restart it. There is no error in ossec.log. But, how can I test it? If
it doesn't works, could this config be ok?
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>003</agent_id>
<level>7</level>
<timeout>86400</timeout>
<repeated_offenders>2880,4320,5760</repeated_offenders>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>004</agent_id>
<level>7</level>
<timeout>86400</timeout>
<repeated_offenders>2880,4320,5760</repeated_offenders>
</active-response>
I believe having multiple <active-responses> with the same command,
but different agent_ids, should work. The surest way to find out is to
trigger one of those events and make sure the IP is added to the
blocklist.
--
Greetings,
C. L. Martinez
--
---
You received this message because you are subscribed to the Google
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
