Nicholas Ritter wrote: > I googled this question before posting and found not hits, I apologize > in advance if I have missed this discussion on the list. I want to > create rules that treat web application scans from McAfee ScanAlert > differently in OSSEC. Because of the number of source IPs that ScanAlert > uses, I was going to write a perl script that fetches the CSV of source > IPs from McAfee and create OSSEC rules. Before I do any of this, are > there already rules for ScanAlert, much less does anyone have comments > on the subject regarding how they handle it?
Hey Nicholas, I wrote the McAfee VSE support and, as far as I know, no other McAfee products are currently supported. I'm a bit confused as to why a Perl script would be needed. Wouldn't you just need to decode the IP and pass it to an Active Response script? -- Michael Starks [I] Immutable Security http://www.immutablesecurity.com
