On Mon, Apr 23, 2012 at 8:52 AM, C. L. Martinez <[email protected]> wrote: > Because for example for the sample that I have exposed... How can I > use active response to block access to certain port that has been > started by a daemon without admin permission?? >
Your example doesn't offer any specific port, but instead a list of ports. You could handle this in the script though. When rule 140123 fires, run portcheck.pl. portcheck.pl then goes through the listening ports and adds firewall rules blocking access to all non-approved (hardcoded maybe, or a list updated via puppet, whatever) ports. > On Mon, Apr 23, 2012 at 2:44 PM, dan (ddp) <[email protected]> wrote: >> Why couldn't you use active response for this? >> >> On Mon, Apr 23, 2012 at 5:19 AM, C. L. Martinez <[email protected]> wrote: >>> Hi all, >>> >>> Is it possible to launch an action or script when an alert rule is >>> triggered?? Like occurs with active response but using rules. For >>> example: using netstat sample in OSSEC manual: >>> >>> <localfile> >>> <log_format>full_command</log_format> >>> <command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command> >>> </localfile> >>> >>> and rule: >>> >>> <rule id="140123" level="7"> >>> <if_sid>530</if_sid> >>> <match>ossec: output: 'netstat -tan |grep LISTEN</match> >>> <check_diff /> >>> <description>Listened ports have changed.</description> >>> </rule> >>> >>> can I launch a script after rule alert is triggered?? For example to >>> discover and kill what process had open new tcp port. >>> >>> Thanks.
