Why couldn't you use active response for this?
On Mon, Apr 23, 2012 at 5:19 AM, C. L. Martinez <[email protected]> wrote: > Hi all, > > Is it possible to launch an action or script when an alert rule is > triggered?? Like occurs with active response but using rules. For > example: using netstat sample in OSSEC manual: > > <localfile> > <log_format>full_command</log_format> > <command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command> > </localfile> > > and rule: > > <rule id="140123" level="7"> > <if_sid>530</if_sid> > <match>ossec: output: 'netstat -tan |grep LISTEN</match> > <check_diff /> > <description>Listened ports have changed.</description> > </rule> > > can I launch a script after rule alert is triggered?? For example to > discover and kill what process had open new tcp port. > > Thanks.
