Active response litterally doesn't work

[den]

Hi everyone 

I saw an article about configure active response in ossec: https://wazuh.com/blog/blocking-attacks-active-response/

I have configured the direction and added some codes hoping that it will prevent the attack, but it doesn't work.

I configured the following in ossec.conf:

<active-response>

    <command> firewall-drop </command>

    <location> local </location>

    <rules_id> 5710 </rules_id>

    <timeout> 600 </timeout>

</active-response>

<active-response>

    <command> firewall-drop </command>

    <location> local </location>

    <rules_id> 5715 </rules_id>

    <timeout> 600 </timeout>

</active-response>

The server doesn't send any alert back to me even when it is attacked, I use syn flood attack with hping3 to attack the server.

Is there any way the active-response can prevent this

thanks everyone

[dan (ddp)]

I haven't looked at this stuff in a while, and I definitely haven't
looked at the wazuh documentation (it often doesn't apply to OSSEC).
First make sure you're getting the expected ssh logs in a monitored
file. Next make sure OSSEC is alerting on it with the expected rule.
Also make sure `ossec-execd` is running on both the server and agent.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/d7511e38-81a2-4a76-9b82-49e702cd7ab4n%40googlegroups.com.