On 06/09/2011 09:52 PM, treydock wrote:
Looking at the details of the rule I see why I didn't get any emails
or extra log entries...it's level 6 (my threshold of notification is
7) and it doesn't have the setting in the rule to send email
notifications. I think what threw me off was getting a notification
that an active-response was triggered, but not getting a notification
of what triggered it. Would it be possible to set OSSEC to email the
trigger of an active-response regardless of it's level? The idea
being if it's significant enough to trigger active response then it is
likely something worth being notified about.
- Trey
When I made some modifications for inclusion into release, that was one
thing I took out. The reason was that, on just one busy Internet-facing
host, that could alert hundreds of times per day. This is "normal"
activity and I try to avoid alerting for situations which don't require
an immediate (human) response or heads up. I also reasoned that it is
easy enough to override in local_rules.xml for those that wanted this
level of attention. When OSSEC is too chatty people have a tendency to
mentally tune the alerts out, which means you can miss important stuff.
