Re: [ossec-list] Re: DNS block active response script not run for named rule

Decoding the host name in named log as "url" causes it to not get passed to the active response script. I just a dash "-" as a place holder. Decoding as user isn't perfect either as the built-in validation will sometimes reject the value and not call the script, For example the following error

Re: [ossec-list] Re: DNS block active response script not run for named rule

On Wed, Mar 15, 2017 at 4:15 PM, Ralph Durkee wrote: > Dan, > > > When I started this I was apparently was using some old documentation, > probably the book you wrote several years ago, and the parameter examples > were limited. Also the newer docs show a limited set of >

Re: [ossec-list] Re: DNS block active response script not run for named rule

On Tue, Mar 14, 2017 at 5:44 PM, Ralph Durkee wrote: > Yes, I got the production system working against a test attack script. Will > monitor it to do tuning for the real flurries of bogus DNS queries, and will > try the duplicate / twin decoder name to see if that works.

Re: [ossec-list] Re: DNS block active response script not run for named rule

Nice catch! You know it also happened to me when testing your decoders? Same thing! That is why I always recommend to use ossec-logtest, it's a wonderful tool :D I don't think you have a way to not modify* decoders.xml*, there is already a child decoder matching your event, using "prematch" which

Re: [ossec-list] Re: DNS block active response script not run for named rule

Hi Ralph, You are welcome. Yes, I did, I can confirm I was seeing entries on active-response.log and the *firewall-dns-query-drop.sh* was triggering. Let me see if I can keep helping you, by "stand-alone" you mean you only have an OSSEC Manager running isn't it? Just to be sure, at