[ossec-list] active-response

[Leonardo Goldim <goldim@xxxxxxxxxxxxxxxxxxxx>]

   Hi

   I updated my ossec to 9-1a version on monday and, after updated, my
active-response doesn't work anymore.

   My active-response configuration at ossec.conf is this:
 <command>
   <name>ssh-drop</name>
   <executable>firewall-drop.sh</executable>
   <expect>srcip</expect>
   <timeout_allowed>yes</timeout_allowed>
 </command>

 <active-response>
   <command>ssh-drop</command>
   <location>local</location>
   <timeout>600</timeout>
 </active-response>

   Before the upgrade i had this line, that tell the active-response
will work with some rules:
<rules_id>xxx</rules_id>

   If i use this line again, i got this error:
# service ossec restart
Stopping OSSEC:                                            [  OK  ]
Starting OSSEC: 2006/09/06 10:47:16 ossec-analysisd(1230): Invalid
element in the configuration: rules_id.
2006/09/06 10:47:16 ossec-analysisd(1202): Configuration problem. Exiting.
2006/09/06 10:47:16 ossec-analysisd(1202): Configuration problem. Exiting.

[FAILED]

   With the 9-1a version, can I specify what rules the active-response
will work? How i use active-response in this version?

Tks
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
goldim@xxxxxxxxxxxxxxxxxxxx

Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604