With those active response rules built in, would this be the preferred method for enabling alerts specifically for those rules? (for example in case the alert threshold is above Level 3)
<email_alerts> <email_to>[email protected]</email_to> <rule_id>601, 602, 603, 604, 605, 606</rule_id> </email_alerts> Secondly, how far from the current stable release is that revision? Thanks - Trey On May 24, 6:06 pm, Michael Starks <[email protected]> wrote: > On 05/23/2011 08:39 PM, treydock wrote: > > > That's fine by me, though use "Trey Dockendorf". Thanks! > > > - Trey > > Supported added > here:https://bitbucket.org/mstarks01/ossec-hids-mstarks/changeset/67e4be77... > > It should set up log monitoring on install, but won't actually work the > first time because the active response log file doesn't get generated > until the first response has been initiated; however, a subsequent > restart of OSSEC should pick it up and start monitoring it. > > I didn't alert on the rules since that's pretty much OSSEC doing its job > and I want to avoid unnecessary alerts, but of course that can easily be > overridden in local_rules.xml. The rule descriptions have also changes a > bit for brevity and consistency. > > Testers and suggestions welcome.
