Hi Mark,
You can have as many "active-response" blocks you want on ossec. Actually, if you want multiple responses, each one must be inside a separate active-response tag. If you look at the default config, it has two entries (one for firewall-drop and one for host-deny). The "expect" tag currently only supports srcip and username. However, by default it always pass the action, rule id, event id and agent name to the scripts... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 2/1/07, Mark Haney <[EMAIL PROTECTED]> wrote:
Well my other posts got dropped yesterday, but I did manage to figure out one of them. However I have a couple of other things I need clarifying. 1. Can I have multiple <active-response></> blocks in ossec.conf? Or must I put all my active response stuff inside one block? 2. The documentation for the <expect> tag seems to indicate that I can put ANY text in the tags to be passed to a command, yet when I try it, I don't get anything passed but junk to the command. Is this an error, or am I doing something wrong? -- Ita erat quando hic adveni. Mark Haney Sr. Systems Administrator ERC Broadband (828) 350-2415
