Hi William, Currently there is no way to pass the dst ip. However, you can use the rule id/alert id to read the full alert and get whatever information you need. In the following link we explain it a bit:
http://www.ossec.net/wiki/index.php/Know_How:CustomActiveResponses Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Sun, Mar 1, 2009 at 7:31 PM, william maddler <[email protected]> wrote: > > william maddler wrote: >> Hello, >> I'd need to pass to an active-response command both src and dst IP. Is >> there a way to achieve that? >> >> I'd also like to be able to supply the script the rule ID. This way I >> could handle with a single script more event's types without having to >> change Ossec inner configuration. >> >> Thanks >> > > Just found that rule ID and related log file are being passed to the > external script. Now I'd only need dst IP :) > > Any clue? > > Thx > > -- > +----------------------------------------------------+ > | William Maddler | > +----------------------------------------------------+ > | Visit my blog at http://www.eth0.it | > | eth0 / ifconfig realworld up! | > +----------------------------------------------------+ > | gpg fingerprint: | > | EAAA 5A70 0359 ECEC 1167 D81E 3ED7 87C1 29EE 144Aa | > +----------------------------------------------------+ > >
