[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Active Responses

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Active Responses
From: Dan <securitydan@xxxxxxxxx>
Date: Wed, 12 Sep 2007 10:57:09 +0200
Authentication-results: mx.google.com; spf=pass (google.com: domain of securitydan@xxxxxxxxx designates 66.249.92.175 as permitted sender) smtp.mail=securitydan@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:mime-version:in-reply-to:references:content-type:message-id:content-transfer-encoding:from:subject:date:to:x-mailer; bh=1whfX2WwroLmQxj+scoTZ8zbSNj3J9XWiBYKuqq9CNs=; b=Oqsc6ULtokz4nLQ3ISdv+CxjitmvOaOF7c11i1D5R8qBNVYCQ3EPAUqDavvDBRM7oHH7eNKw3wDwGdnJyorAvx1vucWGGDyqLFrdxTblNq7999+nLDQabz9iryhmJfnB1Zfkbq6RFpHOssQ3HW4SaqE4HQzzIplWyQWXCowFyfQ=

Hi

Thanks @ Peter. I know that with the false positives. I will use the  
active responses to send alerts to another system.

I just made the active-response script and also edited the  
ossec.conf. I did it like in the guide from Daniel Cid: http:// 
www.ossec.net/wiki/index.php/Know_How:CustomActiveResponses

I use the ossec 1.3

But the active response won't be executed. What did i wrong?
As i know i activated the active-responses during the setup. Are  
there any ways to check that?
How can i see what happens?

I also recognized that there was no logfile for the active response.  
I just added an empty file with the correct name. and it is still  
empty, so i assume, that there was no active response executed.
I use ossec on a server-agent installation. So i configured like in  
the guide.

Does anyone have any hints?

Thanks for your help.

Regards,
Daniel

Am 11.09.2007 um 16:27 schrieb Peter M. Abraham:

>
> Greetings Daniel:
>
> If an existing alert has a level lower than the value, it will not be
> a part of active response.
>
> Personally, I don't like the active-response level approach as who
> knows if it will block a false positive, or something that should be
> further investigated.
>
> That stated, we use the sid approach where I list out the rules for
> which blocks should apply.
>
> If you do need to change levels, place the rules in /var/ossec/rules/
> local_rules.xml and use the overwrite="yes" flag (on the same line as
> the <rule>
>
> Thank you.
>

Follow-Ups:
- [ossec-list] Re: Active Responses
  - From: Peter M. Abraham

References:
- [ossec-list] Active Responses
  - From: Dan
- [ossec-list] Re: Active Responses
  - From: Peter M. Abraham

Prev by Date: [ossec-list] Re: Active Responses
Next by Date: [ossec-list] Alert level 12
Previous by thread: [ossec-list] Re: Active Responses
Next by thread: [ossec-list] Re: Active Responses
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.