I see there's been a previous discussion about Active Response not
working with Rule 31115 "URL too long."
(http://groups.google.com/group/ossec-list/browse_thread/thread/277c7b721cc5795b/5f0759874c21e8d7?hl=en&lnk=gst&q=31115#5f0759874c21e8d7).
I'm seeing the same behavior. The source IP address is in the OSSEC
logs. Has this issue been solved and I'm missing something in the
configuration, or has this never been addressed?
<command>
<name>firewall-drop</name>
<executable>pf.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>003</agent_id>
<rules_id>31115</rules_id>
<timeout>86400</timeout>
</active-response>
I'm using FreeBSD, so I've changed <executable> to pf.sh. If I change
the <rules_id> to 31151 "Mutiple web server 400 error codes from same
source ip", Active Response acts the way I expect it to.
Thanks
Todd Long
