[ossec-list] Re: Two questions in one.

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Mark,

You can have as many "active-response" blocks you want on ossec.
Actually, if you want multiple responses, each one must be inside
a separate active-response tag. If you look at the default config,
it has two entries (one for firewall-drop and one for host-deny).

The "expect" tag currently only supports srcip and username.
However, by default it always pass the action, rule id, event id
and agent name to the scripts...

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On 2/1/07, Mark Haney <mhaney@xxxxxxxxxxxxxxxx> wrote:
> Well my other posts got dropped yesterday, but I did manage to figure
> out one of them.  However I have a couple of other things I need
> clarifying.
>
> 1.  Can I have multiple <active-response></> blocks in ossec.conf?  Or
> must I put all my active response stuff inside one block?
>
> 2.  The documentation for the <expect> tag seems to indicate that I can
> put ANY text in the tags to be passed to a command, yet when I try it, I
> don't get anything passed but junk to the command.  Is this an error, or
>   am I doing something wrong?
>
>
> --
> Ita erat quando hic adveni.
>
> Mark Haney
> Sr. Systems Administrator
> ERC Broadband
> (828) 350-2415