OSSEC version: 1.3
OS: CentOS release 5 (Final)
Hi,
Active response seems to work w/ certain rules but not others. Just
wondering if anyone know why the following web_rules.xml default rule
doesn't generate an active response even though the level 13 is above
what we have configured for an active response triggers:
<rule id="31115" level="13" maxsize="2900">
<if_sid>31100</if_sid>
<description>URL too long. Higher than allowed on most </description>
<description>browsers. Possible attack.</description>
<group>invalid_access,</group>
</rule>
The ossec.conf file has the following for active response:
<active-response>
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>900</timeout>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>900</timeout>
</active-response>
Thanks,
SW
