Hi Forrest,
Inside a rule, the "level" specify the severity of the rule. For example, a rule with severity "2" is not very security relevant, but a rule with severity "15" may indicate a severe problem. However, in the active-response, the "level" indicates the lower level to execute the response. For example, in your firewall-drop response, you can specify the level "7", so whenever a rule with severity higher than "7" is fired, it will cause the active response to be executed. Some of this is explained (or at least I tried to) at: http://www.ossec.net/en/manual.html#active-response-config Hope it helps, -- Daniel B. Cid dcid ( at ) ossec.net On 9/13/06, Forrest Aldrich <[EMAIL PROTECTED]> wrote:
What is the difference between using <level> in the <rules> and <active-response> areas? If I set a <rule> at level="16", then my expectation would be the same value would apply to the active-response - or I wonder why I have that <level> option in <active-response> to begin with. Or is this just finer granularity in specifying a different priority for the respective areas. _F
