I haven't looked at this stuff in a while, and I definitely haven't looked at the wazuh documentation (it often doesn't apply to OSSEC). First make sure you're getting the expected ssh logs in a monitored file. Next make sure OSSEC is alerting on it with the expected rule. Also make sure `ossec-execd` is running on both the server and agent.
On Sun, Sep 8, 2024 at 10:55 AM den <kingdomofhellborn...@gmail.com> wrote: > > Hi everyone > I saw an article about configure active response in ossec: > https://wazuh.com/blog/blocking-attacks-active-response/ > > I have configured the direction and added some codes hoping that it will > prevent the attack, but it doesn't work. > I configured the following in ossec.conf: > <active-response> > <command> firewall-drop </command> > <location> local </location> > <rules_id> 5710 </rules_id> > <timeout> 600 </timeout> > </active-response> > > <active-response> > <command> firewall-drop </command> > <location> local </location> > <rules_id> 5715 </rules_id> > <timeout> 600 </timeout> > </active-response> > The server doesn't send any alert back to me even when it is attacked, I use > syn flood attack with hping3 to attack the server. > Is there any way the active-response can prevent this > thanks everyone > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/d7511e38-81a2-4a76-9b82-49e702cd7ab4n%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMrdTUuh5SBFQt9oAxEL9tooiW0n9r_jNgws3rfdkd2gLA%40mail.gmail.com.
