[ossec-list] Re: active-response

Fri, 08 Sep 2006 10:54:32 -0700 


   Hi Daniel

   I probably was using the "rule_id" inside the "command" section.
   I put this one inside "active_response" section, now this work fine.

   Thanks again Daniel.

--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
[EMAIL PROTECTED]

Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604



Daniel Cid wrote:


Hi Leonardo,
Can you show us your full configuration file? The "rules_id" option should still work, but make sure it is inside the "active_response" configuration 
section. Something like that:

 <active-response>
  <command>ssh-drop</command>
  <location>local</location>
  <rules_id>xxx</rules_id>
  <timeout>600</timeout>
</active-response>

Hope it helps..

--
Daniel B. Cid
dcid ( at ) ossec.net

On 9/8/06, Leonardo Goldim <[EMAIL PROTECTED]> wrote:



    Hi

    I updated my ossec to 9-1a version on monday and, after updated, my
active-response doesn't work anymore.

    My active-response configuration at ossec.conf is this:
  <command>
    <name>ssh-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <active-response>
    <command>ssh-drop</command>
    <location>local</location>
    <timeout>600</timeout>
  </active-response>

    Before the upgrade i had this line, that tell the active-response
will work with some rules:
<rules_id>xxx</rules_id>

    If i use this line again, i got this error:
# service ossec restart
Stopping OSSEC:                                            [  OK  ]
Starting OSSEC: 2006/09/06 10:47:16 ossec-analysisd(1230): Invalid
element in the configuration: rules_id.
2006/09/06 10:47:16 ossec-analysisd(1202): Configuration problem. Exiting. 2006/09/06 10:47:16 ossec-analysisd(1202): Configuration problem. Exiting. 

[FAILED]

    With the 9-1a version, can I specify what rules the active-response
will work? How i use active-response in this version?

Tks
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
[EMAIL PROTECTED]

Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604

Reply via email to