Great idea. What about for attacks against services that either should not be running or if running, should be secured? Say if some bozo is running telnet or rexec and a scan or attack comes in for either of those ports, have OSSEC update or create an xinetd script with a deny_from, or possibly just fire off an email alert with xinetd and configuration recommendations? Too much work?
On 7/18/06, Daniel Cid <[EMAIL PROTECTED]> wrote: > > Good idea. Next version we will try to add something like that... > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > On 7/18/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > Good morning everybody, > > > > > Thanks for the response. Yes, I found the logs yesterday. > > > I wasn't paying attention when I installed as to were the logs were > > > being kept, but I have verified that active-response is working.. kind > > > of funny actually because I locked my self out of my machine while I was > > > still looking for the logs when I ran a scan against my machine.. :) > > > > > > > would it be possible to add some info about active response to > > the alert mails? Something like: > > > > blahblah Level 12: very bad things happening. > > active response triggered: 192.168.1.2 > > > > peter > > > > > > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ -~----------~----~----~----~------~----~------~--~---
