active-response question on the ossec server
2 views
Skip to first unread message
Peter M. Abraham
Nov 28, 2007, 1:26:01 PM11/28/07
to ossec-list
Greetings:
We use the <location>all</location> in active-response to block
attacks on all agents.
I just noticed there is no /var/ossec/logs/active-responses.log on the
ossec server itself.
Is there a way to have active-response active on the ossec server so
that in that way the ossec server is also treated as an agent?
Thank you.
We use the <location>all</location> in active-response to block
attacks on all agents.
I just noticed there is no /var/ossec/logs/active-responses.log on the
ossec server itself.
Is there a way to have active-response active on the ossec server so
that in that way the ossec server is also treated as an agent?
Thank you.
Daniel Cid
Nov 28, 2007, 10:42:42 PM11/28/07
to ossec...@googlegroups.com
Hi Peter,
Just changing the config to the following should to it:
<location>all|server</location>
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
Peter M. Abraham
Nov 29, 2007, 8:41:46 AM11/29/07
to ossec-list
Hi Daniel:
Thank you.
Thank you.
Peter M. Abraham
Nov 29, 2007, 10:08:54 AM11/29/07
to ossec-list
Hi Daniel:
I just found out that the "all|server" ends up just using active-
response on the server. The agents were not updated -- not on the
initial receiving agent, or any of the other agents.
Please advise.
Thank you.
I just found out that the "all|server" ends up just using active-
response on the server. The agents were not updated -- not on the
initial receiving agent, or any of the other agents.
Please advise.
Thank you.
Peter M. Abraham
Dec 1, 2007, 12:06:22 PM12/1/07
to ossec-list
Greetings Daniel:
The "all|server" in location ended up just putting the active-response
on the server, and missed all of the agents.
If I used two sets of active responses (same sid's), one with location
all and one with location server, would that work or would the last
set overwrite the first set?
Thank you.
The "all|server" in location ended up just putting the active-response
on the server, and missed all of the agents.
If I used two sets of active responses (same sid's), one with location
all and one with location server, would that work or would the last
set overwrite the first set?
Thank you.
Peter M. Abraham
Dec 5, 2007, 6:32:39 PM12/5/07
to ossec-list
Daniel Cid
Dec 5, 2007, 9:14:25 PM12/5/07
to ossec...@googlegroups.com
Hi Peter,
Yes, sorry for the bad advice. It will not work properly the way I said. I just
did quick test in here and having two set of responses, one with the "server"
as the location and the other as "all" , should do what you want.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
Peter M. Abraham
Dec 6, 2007, 10:11:57 AM12/6/07
to ossec-list
Hi Daniel:
Welcome to the human race <smile>, and thank you for letting me know
about having two entries.
I'm testing that now.
Thank you again.
Welcome to the human race <smile>, and thank you for letting me know
about having two entries.
I'm testing that now.
Thank you again.
Reply all
Reply to author
Forward
0 new messages