Hello I'm having this same problem, you could tell me how you solved this problem.
Thank you El jueves, 8 de noviembre de 2012, 18:45:17 (UTC-2), dan (ddpbsd) escribió: > > On Thu, Nov 8, 2012 at 3:39 PM, CTech <[email protected]> wrote: > > I have ossec agents running on several machines, but only one of them > > ("agent 001") is set in the server's ossec.config to allow active > response. > > The <active-response> section in my server's ossec.config is pasted at > the > > bottom of this message, since someone is sure to ask for it otherwise. > > > > This appeared to have been working fine. However, recently "agent 001" > began > > blocking traffic from "agent 002." I was able to quickly resolve this by > > adding a <white_list> entry. When I started looking at logs to find out > > exactly what rule "agent 002" had triggered, I found that "agent 002" > was > > nowhere in ossec's alert or active-response logs as a source IP sending > > traffic to "agent 001." Where "agent 002" did appear in the logs, having > > triggered an alert, it was because a problem in apache on that server > had > > caused it to appear to be attacking itself, triggering a level 6 rule > > multiple times. > > > > So here is my question: Am I missing something, or is active response, > > although firing only on "agent 001," responding to alerts generated on > > "agent 002"? Having "agent 002" whitelisted should prevent today's > problem, > > but I don't want iptables on "agent 001" blocking addresses that don't > need > > to be blocked. I will greatly appreciate any clarity you can offer. > > > > <active-response> > > <disabled>no</disabled> > > <command>firewall-drop</command> > > <location>defined-agent</location> > > <agent_id>001</agent_id> > > <level>6</level> > > <timeout>600</timeout> > > </active-response> > > agent001 could very well be adding blocks based on alerts from agent002. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
