[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Active Responses

To: ossec-list <ossec-list@xxxxxxxxxxxxxxxx>
Subject: [ossec-list] Re: Active Responses
From: "Peter M. Abraham" <peter.m.abraham@xxxxxxxxx>
Date: Thu, 13 Sep 2007 13:30:58 -0000

Greetings Daniel:

I'm also using 1.3 (and a relatively new user; so I'm still learning
too).

On the actual server (i.e. agent or local install) there should be a /
var/ossec/logs/active-responses.log file if you have active-response
enabled.

That is where you can check if your active response is kicking off.

Here's what I use on the ossec server in /var/ossec/etc/ossec.conf

<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>5712,5720,100200,100210,100220,100230,100240</rules_id>
<timeout>28800</timeout>
</active-response>

That has been working well; though I've not tested if the timeout is
being honored.  The 100000 rules are the custom rules I wrote in
local_rules.xml

Please let me know if you have any questions.

Thank you.

Follow-Ups:
- [ossec-list] Re: Active Responses
  - From: tswmmeejsdad@xxxxxxxxx

References:
- [ossec-list] Active Responses
  - From: Dan
- [ossec-list] Re: Active Responses
  - From: Peter M. Abraham
- [ossec-list] Re: Active Responses
  - From: Dan

Prev by Date: [ossec-list] Re: What does it means this alert??
Next by Date: [ossec-list] Re: What does it means this alert??
Previous by thread: [ossec-list] Re: Active Responses
Next by thread: [ossec-list] Re: Active Responses
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.