Re: [ossec-list] Active response on server not working

2016-10-22 Thread Herman Harperink
Confirmed, this works. Thank you! On Friday, 21 October 2016, dan (ddp) wrote: > On Fri, Oct 21, 2016 at 6:38 AM, Herman Harperink > > wrote: > > I've been testing this, doesnt work. > > > > Here's what's working for me: > >

Re: [ossec-list] Active response on server not working

2016-10-21 Thread dan (ddp)
On Fri, Oct 21, 2016 at 6:38 AM, Herman Harperink wrote: > I've been testing this, doesnt work. > Here's what's working for me: firewall-drop all 5712,5718 firewall-drop server 5712,5718 > On Wednesday, October 19, 2016 at

Re: [ossec-list] Active response on server not working

2016-10-21 Thread Herman Harperink
I've been testing this, doesnt work. On Wednesday, October 19, 2016 at 6:25:33 PM UTC+2, Herman Harperink wrote: > > Due to some other obligations I am unable to spen much time on this atm. > Thanks for your efforts. I might have some time tomorrow, if I am able to > complete my current task

Re: [ossec-list] Active response on server not working

2016-10-19 Thread Herman Harperink
Due to some other obligations I am unable to spen much time on this atm. Thanks for your efforts. I might have some time tomorrow, if I am able to complete my current task :-) -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe

Re: [ossec-list] Active response on server not working

2016-10-17 Thread Herman Harperink
That didn't work. Have to try something else. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options,

Re: [ossec-list] Active response on server not working

2016-10-17 Thread dan (ddp)
On Mon, Oct 17, 2016 at 9:02 AM, Herman Harperink wrote: >> Been testing a little more with this. With all all >> agents get updated, except for the server. On the server AR just does not >> work like that. > > Offcourse, with local it works on the server. > > So,

Re: [ossec-list] Active response on server not working

2016-10-17 Thread Herman Harperink
> > Been testing a little more with this. With all all > agents get updated, except for the server. On the server AR just does not > work like that. > Offcourse, with local it works on the server. So, when you want to protect all your agents from the same attackers, you'll be left with a

Re: [ossec-list] Active response on server not working

2016-10-16 Thread Herman Harperink
host-deny all 6 86400 firewall-drop all 6 86400 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to

Re: [ossec-list] Active response on server not working

2016-10-15 Thread dan (ddp)
On Oct 15, 2016 10:51 AM, "Herman Harperink" wrote: > > I've found that AR is working on my agents, but not on my server. AR is set to ALL on my server. > Did I miss something? > > Version 2.8.3 on Debian. AR log on the server is empty, but not on my agents. > Should I

[ossec-list] Active response on server not working

2016-10-15 Thread Herman Harperink
I've found that AR is working on my agents, but not on my server. AR is set to ALL on my server. Did I miss something? Version 2.8.3 on Debian. AR log on the server is empty, but not on my agents. Should I have installed the server in hybrid mode? Thanks. -- --- You received this message

[ossec-list] Active response on server

2016-10-15 Thread Herman Harperink
Hi, It seems to me that active response doesn't work on the Ossec server as soon as you add an agent. I can't find any docs on this. Is this normal, should the Ossec server run in hybrid mode to get this working? I've tested this with 2.8.3. After installing the server AR did work on the

Re: [ossec-list] Active-Response on server for remote alerts?

2015-05-26 Thread Santiago Bassett
Weird... Just curious, how did you figure it out? On Tue, May 26, 2015 at 10:29 AM, Xavier Mertens xmert...@gmail.com wrote: FYI, my problem has been solved by reformating the comment in the active-response section: Changed from: !-- comment -- To: !-- comment -- Bug? /x On

Re: [ossec-list] Active-Response on server for remote alerts?

2015-05-26 Thread Xavier Mertens
FYI, my problem has been solved by reformating the comment in the active-response section: Changed from: !-- comment -- To: !-- comment -- Bug? /x On Fri, May 22, 2015 at 3:22 AM, Santiago Bassett santiago.bass...@gmail.com wrote: Not sure if this is of any help, but try to run

[ossec-list] Active-Response on server for remote alerts?

2015-05-21 Thread Xavier Mertens
Hi, I don't often write to the group (I'm following it closely) but today, I've a question... I'd like to trigger an Active-Response script on the _server_ for _any_ alert (ex with level 10). I don't want to deply the script on all agents. At the moment, here is my active-response config (for