hi
I just wanna know if it's possible to have different durations for each
level of event, on ossec.conf.
This is the example:
#######################################################
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 3600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>3600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 3600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>3600</timeout>
</active-response>
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 14.
- The IP is going to be blocked for 43200 seconds(6 hours).
-->
<command>host-deny</command>
<location>local</location>
<level>14</level>
<timeout>43200</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 43200 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>14</level>
<timeout>43200</timeout>
</active-response>
#######################################################
Thanks,
--
Kenny Casagrande | Risco Zero
[email protected]
(54)3028.5005 | www.riscozero.com.br
