On Mon, Apr 23, 2012 at 3:02 PM, dan (ddp) <[email protected]> wrote: > On Mon, Apr 23, 2012 at 8:52 AM, C. L. Martinez <[email protected]> wrote: >> Because for example for the sample that I have exposed... How can I >> use active response to block access to certain port that has been >> started by a daemon without admin permission?? >> > > Your example doesn't offer any specific port, but instead a list of > ports. You could handle this in the script though. When rule 140123 > fires, run portcheck.pl. portcheck.pl then goes through the listening > ports and adds firewall rules blocking access to all non-approved > (hardcoded maybe, or a list updated via puppet, whatever) ports. >
That is my question: where do I need to put this portcheck.sh script, in ossec.conf or in the rule defintion??
