search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.42k stars 1.03k forks source link

manual command > how to ban ip with custom agent #1316

Open adamgyongyosi opened 6 years ago

adamgyongyosi commented 6 years ago

Hello

I would need a command prompt because I would like to forbid the agent's IP addresses from the ossec server manually.

try /var/ossec/bin/agent_control -b 84.1.195.241 -f firewall-drop -u 001

response OSSEC HIDS agent_control: Running active response 'firewall-drop' on: 001

list and try agent

[root@monitoring ~]# /var/ossec/bin/agent_control -L

OSSEC HIDS agent_control. Available active responses:

Response name: firewall-drop600, command: firewall-drop.sh

[root@monitoring ~]# /var/ossec/bin/agent_control -b 84.1.195.241 -f firewall-drop600 -u 001

OSSEC HIDS agent_control: Running active response 'firewall-drop600' on: 001

not working

I'm sorry for the wrong English

ddpbsd commented 6 years ago

Is ossec-execd running on the agent? Does firewall-drop.sh exist? Does it work if you run it locally?

adamgyongyosi commented 6 years ago

yes local is work

ddpbsd commented 6 years ago

Is ossec-execd running on the agent?

adamgyongyosi commented 6 years ago

image

ddpbsd commented 6 years ago

It does not look like execd is running. Is it disabled in the ossec.conf?

adamgyongyosi commented 6 years ago

agent ossec.conf: https://pastebin.com/n8QFJgWH server ossec.conf: https://pastebin.com/2fzpEizF

ddpbsd commented 6 years ago

Try adding this to the agent's ossec.conf and restarting the processes:

  <active-response>
    <disabled>no</disabled>
  </active-response>