Thanks, it worked!
On Wednesday, June 7, 2017 at 3:39:34 PM UTC-4, dan (ddpbsd) wrote: > > > > On Jun 7, 2017 2:09 PM, "sandaway" <junju...@gmail.com <javascript:>> > wrote: > > I really need some help. It looks my OSSEC setup, a server and two > clients, could not run active response properly. From > the active-responses.log, the firewall-drop.sh command runs either on > server or clients, depending on the <location> I set as in the following > example. > > <!-- Active Response Config --> > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>all, server</location> > <level>6</level> > <timeout>600</timeout> > <repeated_offenders>30,60,120</repeated_offenders> > </active-response> > > > When I use "<location>all</location>", two clients run the same > firewall-drop.sh, but not the server: > Client 1: > Wed Jun 7 12:51:59 EDT 2017 > /var/ossec/active-response/bin/firewall-drop.sh add - 188.17.251.42 > 1496854297.9113366 5706 > Wed Jun 7 13:02:30 EDT 2017 > /var/ossec/active-response/bin/firewall-drop.sh delete - 188.17.251.42 > 1496854297.9113366 5706 > > Client 2: > Wed Jun 7 12:53:28 EDT 2017 > /var/ossec/active-response/bin/firewall-drop.sh add - 188.17.251.42 > 1496854297.9113366 5706 > Wed Jun 7 13:03:58 EDT 2017 > /var/ossec/active-response/bin/firewall-drop.sh delete - 188.17.251.42 > 1496854297.9113366 5706 > > The event was triggered on Client 2 based on the examination of secure > log. The system time is a bit off. > > When I use "<location>server</location>" or "<location>all, > server</location>", then active response only runs on the server. No action > on the clients. > > My question is how I should configure ossec so that active response runs > on both server and clients? > > > Have 2 active response blocks, one for the server and one for all. > > > > Please help. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
