Daniel Cid wrote:
Hi Mark,
You can have as many "active-response" blocks you want on ossec.
Actually, if you want multiple responses, each one must be inside
a separate active-response tag. If you look at the default config,
it has two entries (one for firewall-drop and one for host-deny).
The "expect" tag currently only supports srcip and username.
However, by default it always pass the action, rule id, event id
and agent name to the scripts...
Thanks for the clarification, is it possible that the ability to pass
other data via the expect tag be included in future releases?
--
Ita erat quando hic adveni.
Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415
