1

We are running OSSEC as a client-server model. ClientA & ClientB servers are web servers behind a load balancer. They both send information to a single OSSEC server (ServerA), where it invokes an active-response (i.e. dynamic IP blocking) accordingly.

clientA (OSSEC agent) --> ServerA (OSSEC server)

clientB (OSSEC agent) --> ServerA (OSSEC server)

The active-response feature of OSSEC works great for the most part. However the problem is that even though clientA & clientB are "clustered," the OSSEC server will block the offending IP of an end-user pertinent to each client.

Meaning, if ServerA blocks an end-user IP of 1.2.3.4 on clientA, that same action is not reflected on clientB.

After reading through the OSSEC manual, I'm pretty sure there isn't a way to address this scenario. Or is there?

If there isn't, I was seeking advice or suggestions from the community to see if there's an alternative way to handle it.

Thank you.

Community
  • 1
JSL
  • 21
  • 3

1 Answers1

0

If I understand you correctly, you want the active response to be triggered on both clientA and clientB.

If this is the case I would recommend that you take a look at the Active Response documentation.

You can define where the active response is ran:

location

Where the command should be executed. You have four options:

Allowed:

local: on the agent that generated the event

server: on the OSSEC server

defined-agent: on a specific agent (when using this option, you need to set the agent_id to use)

all: or everywhere.

source: http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.active-response.html

Ialokin
  • 481
  • 2
  • 9