[ossec-list] Re: Active responses stopped working

2018-02-07 Thread Rob Kniaz
Ole would you mind sharing your notify-pushbullet script? On Thursday, September 8, 2016 at 3:59:26 PM UTC+1, Ole Jakob Skjelten wrote: > > Hi, > > Having fiddled perhaps a bit too much with the setup of OSSEC, my active > responses on my server stopped working last night, and I'm unable to >

Re: [ossec-list] Re: Active responses stopped working

2016-09-09 Thread dan (ddp)
On Fri, Sep 9, 2016 at 4:04 AM, Ole Jakob Skjelten wrote: > Actually, turns out, if you use a singe yes for ANY > active response, it disables ALL of them. This is intended but not reflected > in the documentation (why this is considered a good idea I do not > understand, but

[ossec-list] Re: Active responses stopped working

2016-09-09 Thread Jesus Linares
Hi, what OSSEC version are you running?. Regards. On Friday, September 9, 2016 at 10:04:31 AM UTC+2, Ole Jakob Skjelten wrote: > > Actually, turns out, if you use a singe *yes* for > ANY active response, it disables ALL of them. This is intended but not > reflected in the documentation (why

[ossec-list] Re: Active responses stopped working

2016-09-09 Thread Ole Jakob Skjelten
Actually, turns out, if you use a singe *yes* for ANY active response, it disables ALL of them. This is intended but not reflected in the documentation (why this is considered a good idea I do not understand, but I'm sure there is a really good reason ;) ). Hope this helps someone else. On

Re: [ossec-list] Re: Active Responses triggered but no events logged

2011-06-10 Thread Michael Starks
On 06/09/2011 09:52 PM, treydock wrote: Looking at the details of the rule I see why I didn't get any emails or extra log entries...it's level 6 (my threshold of notification is 7) and it doesn't have the setting in the rule to send email notifications. I think what threw me off was getting a

Re: [ossec-list] Re: Active Responses triggered but no events logged

2011-06-10 Thread dan (ddp)
Hi Trey, On Thu, Jun 9, 2011 at 10:52 PM, treydock treyd...@gmail.com wrote: Looking at the details of the rule I see why I didn't get any emails or extra log entries...it's level 6 (my threshold of notification is 7) and it doesn't have the setting in the rule to send email notifications.  I

[ossec-list] Re: Active Responses triggered but no events logged

2011-06-10 Thread treydock
A somewhat related question...I'm now using the built in active- response notification rules and just had an active-response go off that didn't send out an email. The following should be sufficient to over ride the alert setting being emails for all alerts level 7+, correct? email_alerts

[ossec-list] Re: Active Responses triggered but no events logged

2011-06-09 Thread treydock
Looking at the details of the rule I see why I didn't get any emails or extra log entries...it's level 6 (my threshold of notification is 7) and it doesn't have the setting in the rule to send email notifications. I think what threw me off was getting a notification that an active-response was

[ossec-list] Re: Active Responses

2007-10-22 Thread [EMAIL PROTECTED]
Thanks heap...i should have spotted that myself :)

[ossec-list] Re: Active Responses

2007-10-07 Thread [EMAIL PROTECTED]
Hi There, Just fine tuning OSSEC and need a bit of help understanding why a particular rule was fired to trigger Active Response. Turns out that we like Peter's idea of just firing Active Repsonse based on the rules we set. Atleast this way we know which rules are being match to trigger Active

[ossec-list] Re: Active Responses

2007-10-01 Thread [EMAIL PROTECTED]
Thank you Daniel... Works great !!

[ossec-list] Re: Active Responses

2007-09-27 Thread [EMAIL PROTECTED]
Although it's good to enable active response for just the rules you want - is there a way to do the opposite that allows you to add a rule that won't fire off active response (like an exception list). For example I am getting a lot of web customers who have embedded javascript code in their HTML

[ossec-list] Re: Active Responses

2007-09-27 Thread Daniel Cid
Hi Andy, The best way to ignore those is to write a local rule to ignore the event, instead of just ignoring them for the active response. Since you know it is a false positive, you don't need to be seeing alerts about them. Something like that would work (just copy to your local_rules.xml):

[ossec-list] Re: Active Responses

2007-09-13 Thread Peter M. Abraham
Greetings Daniel: I'm also using 1.3 (and a relatively new user; so I'm still learning too). On the actual server (i.e. agent or local install) there should be a / var/ossec/logs/active-responses.log file if you have active-response enabled. That is where you can check if your active response

[ossec-list] Re: Active Responses

2007-09-11 Thread Peter M. Abraham
Greetings Daniel: If an existing alert has a level lower than the value, it will not be a part of active response. Personally, I don't like the active-response level approach as who knows if it will block a false positive, or something that should be further investigated. That stated, we use

[ossec-list] Re: Active-Responses Perl

2007-09-05 Thread Daniel Cid
Hi Daniel. You can execute anything you want in there (from perl, to .sh, java, etc). It just need to have the executable flag set and accept the proper arguments (add, delete, etc). Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/3/07, Dan [EMAIL PROTECTED] wrote: Hi Ossec List