On Thu, Nov 8, 2012 at 3:39 PM, CTech <
chroma...@gmail.com> wrote:
> I have ossec agents running on several machines, but only one of them
> ("agent 001") is set in the server's ossec.config to allow active response.
> The <active-response> section in my server's ossec.config is pasted at the
> bottom of this message, since someone is sure to ask for it otherwise.
>
> This appeared to have been working fine. However, recently "agent 001" began
> blocking traffic from "agent 002." I was able to quickly resolve this by
> adding a <white_list> entry. When I started looking at logs to find out
> exactly what rule "agent 002" had triggered, I found that "agent 002" was
> nowhere in ossec's alert or active-response logs as a source IP sending
> traffic to "agent 001." Where "agent 002" did appear in the logs, having
> triggered an alert, it was because a problem in apache on that server had
> caused it to appear to be attacking itself, triggering a level 6 rule
> multiple times.
>
> So here is my question: Am I missing something, or is active response,
> although firing only on "agent 001," responding to alerts generated on
> "agent 002"? Having "agent 002" whitelisted should prevent today's problem,
> but I don't want iptables on "agent 001" blocking addresses that don't need
> to be blocked. I will greatly appreciate any clarity you can offer.
>
> <active-response>
> <disabled>no</disabled>
> <command>firewall-drop</command>
> <location>defined-agent</location>
> <agent_id>001</agent_id>
> <level>6</level>
> <timeout>600</timeout>
> </active-response>
agent001 could very well be adding blocks based on alerts from agent002.