Hi all,
Is it possible to launch an action or script when an alert rule is
triggered?? Like occurs with active response but using rules. For
example: using netstat sample in OSSEC manual:
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command>
</localfile>
and rule:
<rule id="140123" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat -tan |grep LISTEN</match>
<check_diff />
<description>Listened ports have changed.</description>
</rule>
can I launch a script after rule alert is triggered?? For example to
discover and kill what process had open new tcp port.
Thanks.
