[ossec-list] Re: active-response

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Leonardo,

Can you show us your full configuration file? The "rules_id" option should
still work, but make sure it is inside the "active_response" configuration
section. Something like that:

 <active-response>
  <command>ssh-drop</command>
  <location>local</location>
  <rules_id>xxx</rules_id>
  <timeout>600</timeout>
</active-response>

Hope it helps..

--
Daniel B. Cid
dcid ( at ) ossec.net

On 9/8/06, Leonardo Goldim <goldim@xxxxxxxxxxxxxxxxxxxx> wrote:
>     Hi
>
>     I updated my ossec to 9-1a version on monday and, after updated, my
> active-response doesn't work anymore.
>
>     My active-response configuration at ossec.conf is this:
>   <command>
>     <name>ssh-drop</name>
>     <executable>firewall-drop.sh</executable>
>     <expect>srcip</expect>
>     <timeout_allowed>yes</timeout_allowed>
>   </command>
>
>   <active-response>
>     <command>ssh-drop</command>
>     <location>local</location>
>     <timeout>600</timeout>
>   </active-response>
>
>     Before the upgrade i had this line, that tell the active-response
> will work with some rules:
> <rules_id>xxx</rules_id>
>
>     If i use this line again, i got this error:
> # service ossec restart
> Stopping OSSEC:                                            [  OK  ]
> Starting OSSEC: 2006/09/06 10:47:16 ossec-analysisd(1230): Invalid
> element in the configuration: rules_id.
> 2006/09/06 10:47:16 ossec-analysisd(1202): Configuration problem. Exiting.
> 2006/09/06 10:47:16 ossec-analysisd(1202): Configuration problem. Exiting.
>
> [FAILED]
>
>     With the 9-1a version, can I specify what rules the active-response
> will work? How i use active-response in this version?
>
> Tks
> --
> ________________________________________
> Leonardo Goldim - Auditoria Intranetworks
> goldim@xxxxxxxxxxxxxxxxxxxx
>
> Intranetworks
> Rua Marquês do Pombal 1710/805
> Porto Alegre - RS - 90540-000
> +55 51 3325-5700
> +55 51 8415-8604