Hi Quenten,
Your configuration is right, but ossec is acting wrong.
Just remove the following entry:
<active-response>
<disabled>no</disabled>
</active-response>
And it should work. When reading the XML, ossec checks if "disabled"
is present, but doesn't look at the content. So, even if you specify it
to "no", ossec will still disables active-response.
It will be fixed for the next release...
Thanks,
--
Daniel B. Cid
dcid @ ( at ) ossec.net
On 6/16/06, Quenten Griffith <[EMAIL PROTECTED]> wrote:
> Active response does not seem to be working I have the following config in
> my ossec.conf file
>
> <active-response>
> <disabled>no</disabled>
> </active-response>
>
> <active-response>
> <command>firewall-drop</command>
> <location>local</location>
> <rules_id>1512</rules_id>
> </active-response>
> <command>
> <name>firewall-drop</name>
> <executable>firewall-drop.sh</executable>
> <expect>srcip</expect>
> </command>
>
> And when this rule happens I do not see anything logged to the active
> respone log file that my command was ran.
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---
