On Fri, Jul 23, 2010 at 13:00, reg <[email protected]> wrote: [trim] > Here is my command and active response configuration. Even though I do > not need any data from the rule itself, the > <expect> tags were required for OSSEC to start, but that's another > issue(I think). > > <command> > <name>mailtest</name> > <executable>mailtest.sh</executable> > <expect>srcip</expect> > <timeout_allowed>no</timeout_allowed> > </command> > > <active-response> > <command>svncheck</command> > <location>defined-agent</location> > <agent_id>349</agent_id> > <rules_id>5712</rules_id> > </active-response> >
I realize I'm a bit late to this thread, and you may have already figured this out, but if I understand correctly, the <command> element inside <active-response> must match the <name> element inside the previous command block. Above, you configure a command called "mailtest", but then call a command "svncheck". I believe your active-response block should look more like: <active-response> <command>mailtest</command> <location>defined-agent</location> <agent_id>349</agent_id> <rules_id>5712</rules_id> </active-response> Again, forgive me if you already got past this, but that is the way I understand the Active Response documentation from the book. JM
