[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: active response

To: ossec-list@xxxxxxxxx, "Quenten Griffith" <qgriffith@xxxxxxxxx>
Subject: [ossec-list] Re: active response
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Fri, 16 Jun 2006 16:19:49 -0300

Hi Quenten,

Your configuration is right, but ossec is acting wrong.
Just remove the following entry:

<active-response>
     <disabled>no</disabled>
</active-response>

And it should work. When reading the XML, ossec checks if "disabled"
is present, but doesn't look at the content. So, even if you specify it
to "no", ossec will still disables active-response.

It will be fixed for the next release...

Thanks,

--
Daniel B. Cid
dcid @ ( at ) ossec.net

On 6/16/06, Quenten Griffith <qgriffith@xxxxxxxxx> wrote:
> Active response does not seem to be working I have the following config in
> my ossec.conf file
>
> <active-response>
>     <disabled>no</disabled>
>   </active-response>
>
>     <active-response>
>     <command>firewall-drop</command>
>     <location>local</location>
>     <rules_id>1512</rules_id>
>   </active-response>
>   <command>
>     <name>firewall-drop</name>
>     <executable>firewall-drop.sh</executable>
>     <expect>srcip</expect>
>   </command>
>
> And when this rule happens I do not see anything logged to the active
> respone log file that my command was ran.
>
>  >
>

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

References:
- [ossec-list] active response
  - From: Quenten Griffith

Prev by Date: [ossec-list] active response
Next by Date: [ossec-list] ossec was finished work unexpectedly
Previous by thread: [ossec-list] active response
Next by thread: [ossec-list] OSSEC and sshd(pam_unix)
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.