In writing an <active-response> rule, I'm a little confused about
the difference between <defined-agent> and <agent-id>.
I see the example:
<active-response>
<disabled>Completely disables active response if "yes"</disabled>
<command>The name of any command already created</command>
<location>Location to execute the command</location>
<agent_id>ID of an agent (when using a defined agent) </agent_id>
<level>The lower level to execute it (0-9)</level>
<rules_id>Comma separated list of rules id (0-9)</rules_id>
<rules_group>Comma separated list of groups (A-Za-z0-9)</rules_group>
<!-- Presumably this means in "seconds" -->
<timeout>Time to block</timeout>
</active-response>
So I want to write an active-response that occurs inside (on a NAT'd
connection) but sends the instruction to the firewall system (an
agent), I would see this as:
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules-id>3122</rules_id>
<!-- We want this to occur ON the firewall itself -->
<defined-agent>001</defined-agent>
<!-- OR ? -->
<agent-id>001</agent-id>
<timeout>3600</timeout>
</active-response>
It says in the instructions:
- - location: Where the command should be
executed. You have four options:
-
- local: on the agent that generated the
event,
- analysis-server: on the analysis server,
- defined-agent: on a specific agent (when
using this option, you need to set the agent_id to use),
- all: or everywhere.
- - agent_id: The ID of the agent to execute
the response (when defined-agent is set).
So I presume this means I need to have a <location> instruction
in there first. It's not clear to me how this goes together... yet.
Would this be:
<location>defined-agent</location> <!-- it's already
defined -->
<agent-id>001</agent-id>
?
Thanks.
|
