Hello, I am new to Ossec and am looking forward to making great use of what appears to be a great tool.
I had a few questions, i have looked on the ossec website but couldn't really find the answers on there....I apologize in advance if they are obvious answers. 1. So if I want to add an Active Response, do I add the <active-response> </active-response> tags to the ossec.conf in the ossec/etc folder? Can they go anywhere in the file, or do they need to go after all the <command> tags. 2. Is there a simple way to view all the rules and what security level rating they have been given? 3. If i want to use an active-response for lets say Apache abuses, like repeated incorrect logins or 404 pages generated....where are the values of how many is considered "too many"? I can't seem to find it anywhere. Many thanks in advance for your help. Elli
