You would need to define it in the manager's ossec.conf, just like all other active responses. Then the script will have to be installed on the systems you want it to run on.
On Mon, Apr 23, 2012 at 9:08 AM, C. L. Martinez <[email protected]> wrote: > On Mon, Apr 23, 2012 at 3:02 PM, dan (ddp) <[email protected]> wrote: >> On Mon, Apr 23, 2012 at 8:52 AM, C. L. Martinez <[email protected]> wrote: >>> Because for example for the sample that I have exposed... How can I >>> use active response to block access to certain port that has been >>> started by a daemon without admin permission?? >>> >> >> Your example doesn't offer any specific port, but instead a list of >> ports. You could handle this in the script though. When rule 140123 >> fires, run portcheck.pl. portcheck.pl then goes through the listening >> ports and adds firewall rules blocking access to all non-approved >> (hardcoded maybe, or a list updated via puppet, whatever) ports. >> > > That is my question: where do I need to put this portcheck.sh script, > in ossec.conf or in the rule defintion??
