On Thu, Oct 29, 2009 at 8:38 PM, Elli Fenner <[email protected]> wrote: > > Hello, > > I am new to Ossec and am looking forward to making great use of what > appears to be a great tool. > > I had a few questions, i have looked on the ossec website but couldn't > really find the answers on there....I apologize in advance if they are > obvious answers. > > 1. So if I want to add an Active Response, do I add the > <active-response> </active-response> tags to the ossec.conf in the > ossec/etc folder? Can they go anywhere in the file, or do they need > to go after all the <command> tags. >
They should probably go after the command tags. They probably don't have to immediately follow those tags though. > 2. Is there a simple way to view all the rules and what security level > rating they have been given? > Not really. Depending on the level of reviewing you want to do (just names and levels? or regexes, names, and levels?) it shouldn't be too hard to script something up. > 3. If i want to use an active-response for lets say Apache abuses, > like repeated incorrect logins or 404 pages generated....where are the > values of how many is considered "too many"? I can't seem to find it > anywhere. > > Many thanks in advance for your help. > > Elli > The thresholds you apply to your rules really depend on your environment, what you consider excessive, and how many false positives you're willing to put up with. Monitor the alerts for a while to get a feel for how many you are seeing.
