[ossec-list] Re: iptables question

["Tim Slighter" <tcslighter@xxxxxxxxx>]

Great idea.  What about for attacks against services that either
should not be running or if running, should be secured?  Say if some
bozo is running telnet or rexec and a scan or attack comes in for
either of those ports, have OSSEC update or create an xinetd script
with a deny_from, or possibly just fire off an email alert with xinetd
and configuration recommendations?  Too much work?


On 7/18/06, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
>
> Good idea. Next version we will try to add something like that...
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
>
> On 7/18/06, peter@xxxxxxx <peter@xxxxxxx> wrote:
> >
> > Good morning everybody,
> >
> > > Thanks for the response.  Yes, I found the logs yesterday.
> > > I wasn't paying attention when I installed as to were the logs were
> > > being kept, but I have verified that active-response is working.. kind
> > > of funny actually because I locked my self out of my machine while I was
> > > still looking for the logs when I ran a scan against my machine.. :)
> > >
> >
> > would it be possible to add some info about active response to
> > the alert mails? Something like:
> >
> > blahblah Level 12: very bad things happening.
> > active response triggered: 192.168.1.2
> >
> > peter
> >
> >
> > >
> >
>
> >
>

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---