On Friday, November 10, 2017 at 3:00:36 PM UTC-5, Josmell Chavarri wrote: > > Hi, can you help me with a problem? > > I have a ossec-wazuh Server with 20 agents connected with active response > for agent id 001. > > > Ossec.conf ------- the server > > <active-response> > <! - Block rule level 8 agent 001 -> > <command> firewall-drop </ command> > <location> defined-agent </ location> > <agent_id> 001 </ agent_id> > <level> 8 </ level> > <timeout> 600 </ timeout> > </ active-response> >
You specified a response location of 'defined-agent' and the agent id of '001', so yes, this response will trigger *on* agent 001, regardless of which agent generated the alert. Working as written, if not as intended. A location of 'local' would cause the ip to be blocked on the agent that the IP contacted. A location of 'server' would cause the server to drop the IP, regardless of which agent was contacted. 'all' would cause all active agents to drop the IP if any agent generates the alert. Someone please correct me if I'm wrong, I haven't turned on active-response at my site yet-- primarily because it would be really helpful if I could set a location of "defined-group", and allow me to specify a group of servers that that response would run on. Perhaps for 3.x? Looking at the examples in the documentation, it's a bit ambiguous, and I can see how you misinterpreted it. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.