Hi Eric,
You don't have to duplicate the scripts. Just add a new
active-response section and give it a very
high timeout and specify the rule id you want:
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>3302</rules_id>
<timeout>9999</timeout>
</active-response>
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Apr 23, 2010 at 5:45 PM, Eric Biondi <[email protected]> wrote:
> I would like to treat one Rule violation different from the rest. I'll
> duplicate the scripts for firewall drop under a different name and add
> commands in ossec.conf for the new script.
>
> Instead of Level 7 or above triggering the command, I'd like to have a
> specific postfix rule be the trigger. What would the tags be for this?
> Instead of <level></level> can I use something else? I want to make the
> firewall drop permanent for Rule: 3302.
>
> Thanks, Eric
>
>
>
>
> --
> Subscription settings:
> http://groups.google.com/group/ossec-list/subscribe?hl=en
>
