Hi Thanks @ Peter. I know that with the false positives. I will use the active responses to send alerts to another system.
I just made the active-response script and also edited the ossec.conf. I did it like in the guide from Daniel Cid: http:// www.ossec.net/wiki/index.php/Know_How:CustomActiveResponses I use the ossec 1.3 But the active response won't be executed. What did i wrong? As i know i activated the active-responses during the setup. Are there any ways to check that? How can i see what happens? I also recognized that there was no logfile for the active response. I just added an empty file with the correct name. and it is still empty, so i assume, that there was no active response executed. I use ossec on a server-agent installation. So i configured like in the guide. Does anyone have any hints? Thanks for your help. Regards, Daniel Am 11.09.2007 um 16:27 schrieb Peter M. Abraham: > > Greetings Daniel: > > If an existing alert has a level lower than the value, it will not be > a part of active response. > > Personally, I don't like the active-response level approach as who > knows if it will block a false positive, or something that should be > further investigated. > > That stated, we use the sid approach where I list out the rules for > which blocks should apply. > > If you do need to change levels, place the rules in /var/ossec/rules/ > local_rules.xml and use the overwrite="yes" flag (on the same line as > the <rule> > > Thank you. >
