You need to do the following steps:
1. Copy your script to the active response dir of ossec.
2. Register your script as an active response within ossec.conf:
<command>
<name>myAR</name>
<executable>myAR.sh</executable> <!--file name of the script in the AR
dir-->
<!-- if your script expects any decoded values, like source ip or user
etc., define that within the <expect> tag, if the script should make use of
a timeout, define it also:
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
-->
</command>
3. Define the criteria for your new AR in ossec.conf:
<active-response>
<command>fmyAR</command>
<location>local</location> <!--if you want to execute it on the server
or on all agents, change the value for this tag-->
<rules_id>100001, 100002</rules_id> <!-- define the rules upon which the
AR should be run-->
<!-- if you allowed timeout for your rule, define the value in seconds
here-->
<!-- <timeout>600</timeout> -->
</active-response>
4. If you want only your AR triggered for certain preexisting rules that
would by default use another AR, you could overwrite these rules' alert
level in your local_rules.xml.
Cf. http://www.ossec.net/main/manual/manual-active-responses/ if you want
more detailed info on the config options for AR.
Maybe you have to also add the AR to the {$ossecdir}/etc/shared/ar.conf, but
i am not sure about this.
On Thu, Mar 18, 2010 at 2:12 AM, andre pawlowski <[email protected]> wrote:
> Hi guys,
>
> I've written an own active-response script. But this script should only
> be activated by some local rules. Is there any option for rules to use
> an alternate active-response script?
>
> Thanks in advance.
>
> Andre
>
