I have ossec agents running on several machines, but only one of them
("agent 001") is set in the server's ossec.config to allow active response.
The <active-response> section in my server's ossec.config is pasted at the
bottom of this message, since someone is sure to ask for it otherwise.
This appeared to have been working fine. However, recently "agent 001"
began blocking traffic from "agent 002." I was able to quickly resolve this
by adding a <white_list> entry. When I started looking at logs to find out
exactly what rule "agent 002" had triggered, I found that "agent 002" was
nowhere in ossec's alert or active-response logs as a source IP sending
traffic to "agent 001." Where "agent 002" did appear in the logs, having
triggered an alert, it was because a problem in apache on that server had
caused it to appear to be attacking itself, triggering a level 6 rule
multiple times.
So here is my question: *Am I missing something, or is active response,
although firing only on "agent 001," responding to alerts generated on
"agent 002"?* Having "agent 002" whitelisted should prevent today's
problem, but I don't want iptables on "agent 001" blocking addresses that
don't need to be blocked. I will greatly appreciate any clarity you can
offer.
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>001</agent_id>
<level>6</level>
<timeout>600</timeout>
</active-response>
