Ole would you mind sharing your notify-pushbullet script?
On Thursday, September 8, 2016 at 3:59:26 PM UTC+1, Ole Jakob Skjelten
wrote:
>
> Hi,
>
> Having fiddled perhaps a bit too much with the setup of OSSEC, my active
> responses on my server stopped working last night, and I'm unable to
>
On Fri, Sep 9, 2016 at 4:04 AM, Ole Jakob Skjelten wrote:
> Actually, turns out, if you use a singe yes for ANY
> active response, it disables ALL of them. This is intended but not reflected
> in the documentation (why this is considered a good idea I do not
> understand, but
Hi,
what OSSEC version are you running?.
Regards.
On Friday, September 9, 2016 at 10:04:31 AM UTC+2, Ole Jakob Skjelten wrote:
>
> Actually, turns out, if you use a singe *yes* for
> ANY active response, it disables ALL of them. This is intended but not
> reflected in the documentation (why
Actually, turns out, if you use a singe *yes* for ANY
active response, it disables ALL of them. This is intended but not
reflected in the documentation (why this is considered a good idea I do not
understand, but I'm sure there is a really good reason ;) ).
Hope this helps someone else.
On
On 06/09/2011 09:52 PM, treydock wrote:
Looking at the details of the rule I see why I didn't get any emails
or extra log entries...it's level 6 (my threshold of notification is
7) and it doesn't have the setting in the rule to send email
notifications. I think what threw me off was getting a
Hi Trey,
On Thu, Jun 9, 2011 at 10:52 PM, treydock treyd...@gmail.com wrote:
Looking at the details of the rule I see why I didn't get any emails
or extra log entries...it's level 6 (my threshold of notification is
7) and it doesn't have the setting in the rule to send email
notifications. I
A somewhat related question...I'm now using the built in active-
response notification rules and just had an active-response go off
that didn't send out an email. The following should be sufficient to
over ride the alert setting being emails for all alerts level 7+,
correct?
email_alerts
Looking at the details of the rule I see why I didn't get any emails
or extra log entries...it's level 6 (my threshold of notification is
7) and it doesn't have the setting in the rule to send email
notifications. I think what threw me off was getting a notification
that an active-response was
Thanks heap...i should have spotted that myself :)
Hi There,
Just fine tuning OSSEC and need a bit of help understanding why a
particular rule was fired to trigger Active Response.
Turns out that we like Peter's idea of just firing Active Repsonse
based on the rules we set.
Atleast this way we know which rules are being match to trigger Active
Thank you Daniel...
Works great !!
Although it's good to enable active response for just the rules you
want - is there a way to do the opposite that allows you to add a rule
that won't fire off active response (like an exception list).
For example I am getting a lot of web customers who have embedded
javascript code in their HTML
Hi Andy,
The best way to ignore those is to write a local rule to ignore the
event, instead of
just ignoring them for the active response. Since you know it is a
false positive, you
don't need to be seeing alerts about them.
Something like that would work (just copy to your local_rules.xml):
Greetings Daniel:
I'm also using 1.3 (and a relatively new user; so I'm still learning
too).
On the actual server (i.e. agent or local install) there should be a /
var/ossec/logs/active-responses.log file if you have active-response
enabled.
That is where you can check if your active response
Greetings Daniel:
If an existing alert has a level lower than the value, it will not be
a part of active response.
Personally, I don't like the active-response level approach as who
knows if it will block a false positive, or something that should be
further investigated.
That stated, we use
Hi Daniel.
You can execute anything you want in there (from perl, to .sh, java,
etc). It just need
to have the executable flag set and accept the proper arguments (add,
delete, etc).
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/3/07, Dan [EMAIL PROTECTED] wrote:
Hi Ossec List
16 matches
Mail list logo