Hi List
I have a questions concerning the active responses. How can i be
sure, that every alert with a defined level or higher level?
It is enough if there are the following lines in the ossec.conf?
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
Or do i have to edit also all alerts to add the ability of a active
response?
Thanks for your help.
regards,
Daniel
