[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Active Responses
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Active Responses
- From: Dan <securitydan@xxxxxxxxx>
- Date: Tue, 11 Sep 2007 12:40:16 +0200
- Authentication-results: mx.google.com; spf=pass (google.com: domain of securitydan@xxxxxxxxx designates 209.85.128.189 as permitted sender) smtp.mail=securitydan@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:mime-version:x-gpgmail-state:content-type:message-id:content-transfer-encoding:from:subject:date:to:x-mailer; bh=1/FN2fZXSStBmGhT1AVYSwyTrXQxSZt5b12rUSnmV6g=; b=Ps459svMGGNU703OpYzKfolIUBI4/QXXZlR6qBjxLToJxEZS8Q0y44aJ2nFfL7oOXLg7+qodExQcFq+j7M4iiw8PXD3urkEw7KIBy+XweBU3LNNnK//it9B18SoXXwtOTNoUxOI5YWjpMWCkcfN5qsKcsK8m03hNBbCUxt846MI=
Hi List
I have a questions concerning the active responses. How can i be
sure, that every alert with a defined level or higher level?
It is enough if there are the following lines in the ossec.conf?
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
Or do i have to edit also all alerts to add the ability of a active
response?
Thanks for your help.
regards,
Daniel
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.