It really depends on what your script does. Active Response doesn't technically "block" anything - it just allows for passing of certain parameters/variables to scripts so that you can take actionable measures. Explaining it that way might help... although, it might confuse him even more! But one example I have for AR is that I used it to log the date, IP, and hostname to a file every time a specific alert was triggered in OSSEC. That way, I could keep a historical track record of all IPs, etc that attacked the site/server in a specific way, etc. It was passive and didn't block anything.
On Thu, Oct 14, 2010 at 6:59 AM, Toby <[email protected]>wrote: > Thanks all for your responses. Just to be clear: I am not currently > under attack. When my boss found out that I'd enabled something that > could block IP's from our web site, he became anxious. I just wanted > to explore the possibility that Active Response could cause more > problems than it prevents.
