On Wed, 19 Jan 2011 11:22:48 +0800 seekuel <[email protected]> wrote:
> Hi,
>
> My I ask if there is a level we can configure ossec? say:
>
> level1 - moderate
> level2 - Strict
> level3 - paranoid
>
> Since we experience a scenario that the server is used as hosting and
> domains that are already expired will still appear in search engines.
> When this happened when a client will click the link of the expired
> domain his IP address is blocked since the page does not exist.
>
> Is there a way that we can use specific module in ossec to be active
> on our server?
I'd handle this by changing the rule level. First ID any rules that are
getting hits on the errors, then add local rules to override the level:
Say the rules getting triggered are 5505 and 55223
<rule id="100002" level="0">
<if_sid>5505,55223</if_sid>
<description>block active-response for the above errors</description>
</rule>
The level you set would depend on how you have active response setup, mine hits
on 6 or higher so setting the level to 5 would do it.
