On Dec 18, 2015 11:00 AM, "theresa mic-snare" <[email protected]> wrote: > > so, does this mean it is also possible to disable it with the above mentioned syntax in the ossec.conf on the agent? >
Yes. > sorry for double-checking and the stupid question, but I haven't found it in the official docs: > >> Active-reponse options are available in the the following installation types: >> >> server >> local > > > the <disable>yes</disable> tag is one of those options, right?! > As usual my poor grasp of the English language is casuing the confusion. That option is available on agents. It disables AR entirely for that agent. So far no one has brought up the situation of disablig it entirely on some agents, but not others. > and shouldn't there also be a log entry in the ossec.conf, something like this > ossec-execd(1350): INFO: Active response disabled. Exiting. > > after restarting the agent? No clue. Probably. > i haven't found this log entry after disabling it in the ossec.conf on the agent and restarted this agent afterwards. > > > Am Freitag, 18. Dezember 2015 15:55:38 UTC+1 schrieb dan (ddpbsd): >> >> On Fri, Dec 18, 2015 at 9:40 AM, theresa mic-snare >> <[email protected]> wrote: >> > Hi all, >> > >> > please correct me if I am wrong, I just noticed that the active response can >> > only be disabled on the master but not on individual agents. >> > is that true? >> > >> > I think it's a shame, because I just want to use it only on specific >> > machines, that are expose to the bad bad internet :) >> > I know I could just whitelist all the internal IPs, because it's unlikely >> > that an attack could be started from inside... >> > >> > wouldn't it be nice to have the possbility to just >> > >> > <active-response> >> > <disabled>yes</disabled> >> > </active-response> >> > >> > on the agent ossec.conf ? :)))) >> > >> > is there any reason is can only be controlled from the master? >> > i'd like to understand it better. >> > >> >> That should work to disable AR (as a whole) on the agent. >> >> > thanks, >> > theresa >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
