Re: [ossec-list] Active response on server not working

2016-10-22 Thread Herman Harperink 
Confirmed, this works.
Thank you!

On Friday, 21 October 2016, dan (ddp)  wrote:

> On Fri, Oct 21, 2016 at 6:38 AM, Herman Harperink
> > wrote:
> > I've been testing this, doesnt work.
> >
>
> Here's what's working for me:
>   
> firewall-drop
> all
> 5712,5718
>   
>
>   
> firewall-drop
> server
> 5712,5718
>   
>
>
> > On Wednesday, October 19, 2016 at 6:25:33 PM UTC+2, Herman Harperink
> wrote:
> >>
> >> Due to some other obligations I am unable to spen much time on this atm.
> >> Thanks for your efforts. I might have some time tomorrow, if I am able
> to
> >> complete my current task :-)
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/ossec-list/hHEE0zPT8TA/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ossec-list+unsubscr...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Active response on server not working

2016-10-21 Thread dan (ddp) 
On Fri, Oct 21, 2016 at 6:38 AM, Herman Harperink
 wrote:
> I've been testing this, doesnt work.
>

Here's what's working for me:
  
firewall-drop
all
5712,5718
  

  
firewall-drop
server
5712,5718
  


> On Wednesday, October 19, 2016 at 6:25:33 PM UTC+2, Herman Harperink wrote:
>>
>> Due to some other obligations I am unable to spen much time on this atm.
>> Thanks for your efforts. I might have some time tomorrow, if I am able to
>> complete my current task :-)
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Active response on server not working

2016-10-21 Thread Herman Harperink 
I've been testing this, doesnt work. 

On Wednesday, October 19, 2016 at 6:25:33 PM UTC+2, Herman Harperink wrote:
>
> Due to some other obligations I am unable to spen much time on this atm. 
> Thanks for your efforts. I might have some time tomorrow, if I am able to 
> complete my current task :-)

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Active response on server not working

2016-10-19 Thread Herman Harperink 
Due to some other obligations I am unable to spen much time on this atm. Thanks 
for your efforts. I might have some time tomorrow, if I am able to complete my 
current task :-)

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Active response on server not working

2016-10-17 Thread Herman Harperink 
That didn't work. Have to try something else.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Active response on server not working

2016-10-17 Thread dan (ddp) 
On Mon, Oct 17, 2016 at 9:02 AM, Herman Harperink
 wrote:
>> Been testing a little more with this. With all all
>> agents get updated, except for the server. On the server AR just does not
>> work like that.
>
> Offcourse, with local  it works on the server.
>
> So, when you want to protect all your agents from the same attackers, you'll
> be left with a vuln. Ossec Server :-)
>

Add 2 active-responses, one for agents and one for the server.


> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Active response on server not working

2016-10-17 Thread Herman Harperink 

>
> Been testing a little more with this. With all all 
> agents get updated, except for the server. On the server AR just does not 
> work like that.
>
Offcourse, with local  it works on the server.

So, when you want to protect all your agents from the same attackers, 
you'll be left with a vuln. Ossec Server :-)

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Active response on server not working

2016-10-16 Thread Herman Harperink 
 
  

host-deny
all
6
86400
  

  

firewall-drop
all
6
86400
  

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Active response on server not working

2016-10-15 Thread dan (ddp) 
On Oct 15, 2016 10:51 AM, "Herman Harperink" 
wrote:
>
> I've found that AR is working on my agents, but not on my server. AR is
set to ALL on my server.
> Did I miss something?
>
> Version 2.8.3 on Debian. AR log on the server is empty, but not on my
agents.
> Should I have installed the server in hybrid mode?
>

Can you provide tour active response configuration?

> Thanks.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Active response on server not working

2016-10-15 Thread Herman Harperink 
I've found that AR is working on my agents, but not on my server. AR is set to 
ALL on my server.
Did I miss something?

Version 2.8.3 on Debian. AR log on the server is empty, but not on my agents.
Should I have installed the server in hybrid mode?

Thanks.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Active response on server

2016-10-15 Thread Herman Harperink 
Hi,

It seems to me that active response doesn't work on the Ossec server as soon as 
you add an agent. I can't find any docs on this. Is this normal, should the 
Ossec server run in hybrid mode to get this working?
I've tested this with 2.8.3. After installing the server AR did work on the 
server, but after adding external agents it only works on the agents. The 
server itself doesn't do anything with it. AR is set to global...

Any hints on this?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Active-Response on server for remote alerts?

2015-05-26 Thread Santiago Bassett 
Weird... Just curious, how did you figure it out?

On Tue, May 26, 2015 at 10:29 AM, Xavier Mertens xmert...@gmail.com wrote:

 FYI, my problem has been solved by reformating the comment in the
 active-response section:

 Changed from:
 !-- comment --

 To:
 !-- comment
--

 Bug?

 /x

 On Fri, May 22, 2015 at 3:22 AM, Santiago Bassett 
 santiago.bass...@gmail.com wrote:

 Not sure if this is of any help, but try to run ossec-execd in debug mode
 and use -t to test the configuration. Maybe that way you can figure out
 what is causing the issue.

 On Thu, May 21, 2015 at 8:01 AM, Xavier Mertens xmert...@gmail.com
 wrote:

 Hi,

 I don't often write to the group (I'm following it closely) but today,
 I've a question...

 I'd like to trigger an Active-Response script on the _server_ for _any_
 alert (ex with level  10).
 I don't want to deply the script on all agents.
 At the moment, here is my active-response config (for only 1 rule):

 active-response
 commandscript/command
 locationserver/location
 rules_id31510/rules_id
 /active-response

 It seems that it expect the rule 31510 to happen on the _server_ but it
 is happening on agents..
 Any idea?

 /x

 --

 ---
 You received this message because you are subscribed to the Google
 Groups ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


  --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


  --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Active-Response on server for remote alerts?

2015-05-26 Thread Xavier Mertens 
FYI, my problem has been solved by reformating the comment in the
active-response section:

Changed from:
!-- comment --

To:
!-- comment
   --

Bug?

/x

On Fri, May 22, 2015 at 3:22 AM, Santiago Bassett 
santiago.bass...@gmail.com wrote:

 Not sure if this is of any help, but try to run ossec-execd in debug mode
 and use -t to test the configuration. Maybe that way you can figure out
 what is causing the issue.

 On Thu, May 21, 2015 at 8:01 AM, Xavier Mertens xmert...@gmail.com
 wrote:

 Hi,

 I don't often write to the group (I'm following it closely) but today,
 I've a question...

 I'd like to trigger an Active-Response script on the _server_ for _any_
 alert (ex with level  10).
 I don't want to deply the script on all agents.
 At the moment, here is my active-response config (for only 1 rule):

 active-response
 commandscript/command
 locationserver/location
 rules_id31510/rules_id
 /active-response

 It seems that it expect the rule 31510 to happen on the _server_ but it
 is happening on agents..
 Any idea?

 /x

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


  --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Active-Response on server for remote alerts?

2015-05-21 Thread Xavier Mertens 
Hi,

I don't often write to the group (I'm following it closely) but today, I've
a question...

I'd like to trigger an Active-Response script on the _server_ for _any_
alert (ex with level  10).
I don't want to deply the script on all agents.
At the moment, here is my active-response config (for only 1 rule):

active-response
commandscript/command
locationserver/location
rules_id31510/rules_id
/active-response

It seems that it expect the rule 31510 to happen on the _server_ but it is
happening on agents..
Any idea?

/x

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.