Thanks! I'll give that a try. Sorry if I wasn't entirely clear about this.
Martin
On 4/22/2011 5:12 PM, dan (ddp) wrote:
Hi Martin,
On Fri, Apr 22, 2011 at 5:08 PM, Martin Gottlieb<mar...@axion-it.net> wrote:
Shouldn't this block from the config on the OSSEC server:
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>as</location>
<level>6</level>
<timeout>3600</timeout>
</active-response>
cause the firewall drop script to be run on the server for any event that is
level 6 or higher, regardless of
which agent it came from? That's all I'm trying to accomplish, I don't need
anything to run on the Windows
agent if I can get the firewall drop script to run on the server.
Thanks.
Martin
Oh, I get it now. Your<location> field looks wrong. It should be
<location>server</location>
http://www.ossec.net/doc/syntax/head_ossec_config.active-responce.html#element-active-response.location
On 4/22/2011 4:58 PM, dan (ddp) wrote:
Hi Martin,
On Fri, Apr 22, 2011 at 4:37 PM, Martin Gottlieb<mar...@axion-it.net>
wrote:
I guess what I'm trying to understand is this:
When an event is triggered from a Linux agent, the firewall drop script is
run on the
OSSEC server (in addition to the hosts deny script being called on the
agent). I don't recall
doing anything special to make this happen when I installed OSSEC, I assume
it is part of
the default behavior.
The default actions (if I'm reading
https://bitbucket.org/dcid/ossec-hids/src/4908b28513b0/etc/ossec-server.conf
correctly) is that the script is run on the system where the log
message originated.
Unless you changed the configurations the scripts shouldn't be running
on both the server and the agents.
When an event is triggered on a Windows agent, the firewall drop script is
NOT called on the server,
but I would like it to be. I would like the default behavior on Windows
agents to be the same
as Linux agents, at least as far as what happens on the OSSEC server. The
Windows agent is
obviously reporting the event to the server as it logs it and reports it to
me.
Am I understanding the responses so far to mean that I have to write a
script to make this
happen, and that the script needs to reside on the Windows agent?
Thanks again.
Martin
The script would have to reside on all of the systems you want it to
run on. Having it run on both Windows and Linux systems may be
difficult.
