Hi, I have not tested the feasibility of this as I'm still having problems getting active-response to work properly, just something that popped into my head. What if an attacker spends a spoofed source ip address that corresponds to either the ossec agent or server? Wouldn't active-response end up blocking communication between the agent and server?
Cheers, Sean
