Re: [ossec-list] Re: active-response alerts?

2016-02-23 Thread Jesus Linares
Decoder and rules for active-response are the same in both Wazuh and OSSEC. I meant that rules 601-606 are for a specific sh (check tag *action*), so if you are using a custom sh you will not see the alert. Also, alert 600 is generic (for all active responses) but level is 0. Regards. Jesus

Re: [ossec-list] Re: active-response alerts?

2016-02-23 Thread Barry Kaplan
Seems that wazuh already has a decoder and rules for active-response. (Not sure if these are also in ossec proper) https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/rules/ossec_rules.xml -- --- You received this message because you are subscribed to the Google Groups

Re: [ossec-list] Re: active-response alerts?

2016-02-23 Thread dan (ddp)
On Feb 23, 2016 12:42 AM, "Barry Kaplan" wrote: > > So I'm confused then. The server decided to initiate these actions on the client, no? The server rules are what decided those actions. Should the server not log that it took this action, given the elevated level of the rules?

Re: [ossec-list] Re: active-response alerts?

2016-02-23 Thread Jesus Linares
Hi Barry, if you want to see the rules generated by active response you must watch the active response log (as it said Dan): syslog /var/ossec/logs/active-responses.log Now, you will see in archives.log (with option yes) the log received: 2016 Feb 23 10:59:06

Re: [ossec-list] Re: active-response alerts?

2016-02-22 Thread Barry Kaplan
So I'm confused then. The server decided to initiate these actions on the client, no? The server rules are what decided those actions. Should the server not log that it took this action, given the elevated level of the rules? I feel I am missing something understanding. -barry -- --- You

Re: [ossec-list] Re: active-response alerts?

2016-02-22 Thread dan (ddp)
On Feb 22, 2016 6:18 AM, "Barry Kaplan" wrote: > > Hmm, ok. On clients there are entries in active-response.log (eg, firewall-drop.sh). But on the server alerts.log there is no trace of those. If I understand the rules correctly they should be there. I don't see any errors in

[ossec-list] Re: active-response alerts?

2016-02-22 Thread Barry Kaplan
Hmm, ok. On clients there are entries in active-response.log (eg, firewall-drop.sh). But on the server alerts.log there is no trace of those. If I understand the rules correctly they should be there. I don't see any errors in the ossec.log on client or server. What's the best way to debug

[ossec-list] Re: active-response alerts?

2016-02-22 Thread Jesus Linares
Hi Barry, There are decoders and rules