THANKS!!! I guess I've been working on this too long... I didn't even think of that!
It worked, better than trying to mess with the active response: In /var/ossec/rules/local_rules.xml <rule id="110000" level="10"> <if_matched_sid>5715</if_matched_sid> <user>beeper</user> <description>beeper logged in</description> <rule/> ~Carrie -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of BP9906 Sent: Wednesday, January 25, 2012 6:22 PM To: ossec-list Subject: [ossec-list] Re: Script assistance Well, you could start with using a rule for that user first. Then you could change the "<level>2</level>" option you're using to <rules_id>100001</rules_id>, assuming that's your rule ID. Then you can just configure the script to do something, either block the IP, lock the user account, etc. Hope that helps. On Jan 25, 1:38 pm, "Carrie Poole" <[email protected]> wrote: > I'm trying to set an Active Response alert based on a particular user > login, and I'm not sure how to write the script. > > Anyone out there have any ideas? > > What I need it to do is email an alert when a certain user account > logs into any one of the agents. > > I think I got the command config and active response config correct, > but I don't know how to write the script so it sets off on only that user: > > <command> > > <name>beeper-login-Notification</name> > > <executable> beeper-login.sh</executable> > > <expect>username</expect> > > <timeout_allowed>no</timeout_allowed> > > </command> > > <active-response> > > <disabled>no</disabled> > > <command>beeper-login-Notification</command> > > <location>all</location> > > <level>2</level> > > <rules_group>authentication_success</rules_group> > > </active-response > > Carrie Poole, > > Network Engineer > > (610) 821-8980 ext 559 > > (610)841-5559 (Direct) > > Fax: (610)821-1245 > > [email protected] > > CONFIDENTIALITY NOTICE: This e-mail is confidential and intended > solely for the use of the individual or entity to which it is > addressed. If you are not the intended recipient, be advised that you > have received this email in error and that any use, dissemination, > forwarding, printing or copying of this e-mail is strictly prohibited. > If you received this e-mail in error, please delete it from your computer and > contact the sender. > > image001.gif > 4KViewDownload CONFIDENTIALITY NOTICE: This e-mail is confidential and intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please delete it from your computer and contact the sender.
