Hi, The field "location" in the configuration of Active Response means where the command will be executed:
- local: on the agent that generated the event - server: on the OSSEC server - defined-agent: on a specific agent (when using this option, you need to set the agent_id to use) - all: everywhere. So, if you use "all", the attack IP will be blocked in all your agents (using the command specified in the configuration). Then, the attack IP will be unblocked after a timeout or when you restart the agent. If you remove manually an IP on an agent, the rest of agents will continue with the IP blocked. Regards. On Saturday, June 25, 2016 at 2:57:07 PM UTC+2, Deepak Singh wrote: > > Hi all, > > Greetings for the day, since I am not expert user of ossec, I am having a > query about the ossec brue force block on client server mechanism. > > I am having one Ossec Server and 10 linux and 5 windows host. > > So if I am enabling the active response in ossec server for blocking the > bruteforce attackers so will it be updated on all clients as will as server. > > For example. > > > Case 1 > If block is triggered on server so will it inform the other > agents as will to block the ip in their host deny or firewall? > > Case 2 > If block is held on agent so will it be informed to other agents > as well as server to block the ip in their host deny or firewall? > > > If yes then what will happen if I remove the blocked IP from server of the > agent? I mean will it be removed from other agents as well. > > and if I am going wrong anywhere please explain me what will happen in the > above cases. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
