[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Active Responses

To: ossec-list <ossec-list@xxxxxxxxxxxxxxxx>
Subject: [ossec-list] Re: Active Responses
From: "tswmmeejsdad@xxxxxxxxx" <tswmmeejsdad@xxxxxxxxx>
Date: Wed, 26 Sep 2007 22:46:51 -0700

Although it's good to enable active response for just the rules you
want - is there a way to do the opposite that allows you to add a rule
that won't fire off active response (like an exception list).

For example I am getting a lot of web customers who have embedded
javascript code in their HTML files that does not exsit - hence
triggering Rule: 31151 (level 10) -> 'Mutiple web server 400 error
codes from same source ip.'. Because I have active response turned on,
these unknowing customer's IPs are blocked after browsing to a few
pages within the site because the web server can't find that java
scripts. I know it's bad coding but is there a way to exclude this
rule from triggering active response without having to turn active
response off.

Thanks.

Andy

Follow-Ups:
- [ossec-list] Re: Active Responses
  - From: Daniel Cid

References:
- [ossec-list] Active Responses
  - From: Dan
- [ossec-list] Re: Active Responses
  - From: Peter M. Abraham
- [ossec-list] Re: Active Responses
  - From: Dan
- [ossec-list] Re: Active Responses
  - From: Peter M. Abraham

Prev by Date: [ossec-list] Re: Granular Email Options
Next by Date: [ossec-list] Re: OSSEC Email-notification: multiple email-addresses/recipients possible?
Previous by thread: [ossec-list] Re: Active Responses
Next by thread: [ossec-list] Re: Active Responses
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.