Because for example for the sample that I have exposed... How can I use active response to block access to certain port that has been started by a daemon without admin permission??
On Mon, Apr 23, 2012 at 2:44 PM, dan (ddp) <[email protected]> wrote: > Why couldn't you use active response for this? > > On Mon, Apr 23, 2012 at 5:19 AM, C. L. Martinez <[email protected]> wrote: >> Hi all, >> >> Is it possible to launch an action or script when an alert rule is >> triggered?? Like occurs with active response but using rules. For >> example: using netstat sample in OSSEC manual: >> >> <localfile> >> <log_format>full_command</log_format> >> <command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command> >> </localfile> >> >> and rule: >> >> <rule id="140123" level="7"> >> <if_sid>530</if_sid> >> <match>ossec: output: 'netstat -tan |grep LISTEN</match> >> <check_diff /> >> <description>Listened ports have changed.</description> >> </rule> >> >> can I launch a script after rule alert is triggered?? For example to >> discover and kill what process had open new tcp port. >> >> Thanks.
