On Fri, Dec 18, 2015 at 9:40 AM, theresa mic-snare <[email protected]> wrote: > Hi all, > > please correct me if I am wrong, I just noticed that the active response can > only be disabled on the master but not on individual agents. > is that true? > > I think it's a shame, because I just want to use it only on specific > machines, that are expose to the bad bad internet :) > I know I could just whitelist all the internal IPs, because it's unlikely > that an attack could be started from inside... > > wouldn't it be nice to have the possbility to just > > <active-response> > <disabled>yes</disabled> > </active-response> > > on the agent ossec.conf ? :)))) > > is there any reason is can only be controlled from the master? > i'd like to understand it better. >
That should work to disable AR (as a whole) on the agent. > thanks, > theresa > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
