[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: active-response

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: active-response
From: Leonardo Goldim <goldim@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 08 Sep 2006 14:54:50 -0300
Content-transfer-encoding: 8bit


   Hi Daniel

   I probably was using the "rule_id" inside the "command" section.
   I put this one inside "active_response" section, now this work fine.

   Thanks again Daniel.

--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
goldim@xxxxxxxxxxxxxxxxxxxx

Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604



Daniel Cid wrote:


Hi Leonardo,

Can you show us your full configuration file? The "rules_id" optionshouldstill work, but make sure it is inside the "active_response"configuration

section. Something like that:

 <active-response>
  <command>ssh-drop</command>
  <location>local</location>
  <rules_id>xxx</rules_id>
  <timeout>600</timeout>
</active-response>

Hope it helps..

--
Daniel B. Cid
dcid ( at ) ossec.net

On 9/8/06, Leonardo Goldim <goldim@xxxxxxxxxxxxxxxxxxxx> wrote:



    Hi

    I updated my ossec to 9-1a version on monday and, after updated, my
active-response doesn't work anymore.

    My active-response configuration at ossec.conf is this:
  <command>
    <name>ssh-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <active-response>
    <command>ssh-drop</command>
    <location>local</location>
    <timeout>600</timeout>
  </active-response>

    Before the upgrade i had this line, that tell the active-response
will work with some rules:
<rules_id>xxx</rules_id>

    If i use this line again, i got this error:
# service ossec restart
Stopping OSSEC:                                            [  OK  ]
Starting OSSEC: 2006/09/06 10:47:16 ossec-analysisd(1230): Invalid
element in the configuration: rules_id.

2006/09/06 10:47:16 ossec-analysisd(1202): Configuration problem.Exiting.2006/09/06 10:47:16 ossec-analysisd(1202): Configuration problem.Exiting.


[FAILED]

    With the 9-1a version, can I specify what rules the active-response
will work? How i use active-response in this version?

Tks
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
goldim@xxxxxxxxxxxxxxxxxxxx

Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604

References:
- [ossec-list] active-response
  - From: Leonardo Goldim
- [ossec-list] Re: active-response
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: active-response
Next by Date: [ossec-list] Re: Agent unable to communicate with server/ssh session logging/whitelisting
Previous by thread: [ossec-list] Re: active-response
Next by thread: [ossec-list] SQL Injection Detection
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.