Greetings Nikita: Go Nittany Lions!!!!
We use the following where active-response hits all agents and the ossec server using OSSEC 1.5: <active-response> <command>firewall-drop</command> <location>server</location> <rules_id>(various rule id's comma delimited without parenthesis)</ rules_id> <timeout>(numerical response time out without parenthesis)</timeout> </active-response> <active-response> <command>firewall-drop</command> <location>all</location> <rules_id>(various rule id's comma delimited without parenthesis)</ rules_id> <timeout>(numerical response time out without parenthesis)</timeout> </active-response> Thank you.
