[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Active Responses

To: ossec-list <ossec-list@xxxxxxxxxxxxxxxx>
Subject: [ossec-list] Re: Active Responses
From: "Peter M. Abraham" <peter.m.abraham@xxxxxxxxx>
Date: Tue, 11 Sep 2007 07:27:35 -0700

Greetings Daniel:

If an existing alert has a level lower than the value, it will not be
a part of active response.

Personally, I don't like the active-response level approach as who
knows if it will block a false positive, or something that should be
further investigated.

That stated, we use the sid approach where I list out the rules for
which blocks should apply.

If you do need to change levels, place the rules in /var/ossec/rules/
local_rules.xml and use the overwrite="yes" flag (on the same line as
the <rule>

Thank you.

Follow-Ups:
- [ossec-list] Re: Active Responses
  - From: Dan

References:
- [ossec-list] Active Responses
  - From: Dan

Prev by Date: [ossec-list] Active Responses
Next by Date: [ossec-list] Re: Active Responses
Previous by thread: [ossec-list] Active Responses
Next by thread: [ossec-list] Re: Active Responses
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.