We have OSSEC installed on some web servers running behind Amazon ELB. The problem is that when the active response triggers it blocks the IP address of the load balancer. Is there any way to use the active response to block clients sending suspect requests when OSSEC is behind a load balancer?
Thanks
Best Answer
You can add the IP(s) to the white list in ossec.conf. That file is typically in /var/ossec/etc/ossec.conf.
Then restart ossec with /etc/init.d/ossec restart.