Ok, many thanks dan ...
On Mon, Apr 23, 2012 at 3:29 PM, dan (ddp) <[email protected]> wrote: > You would need to define it in the manager's ossec.conf, just like all > other active responses. Then the script will have to be installed on > the systems you want it to run on. > > On Mon, Apr 23, 2012 at 9:08 AM, C. L. Martinez <[email protected]> wrote: >> On Mon, Apr 23, 2012 at 3:02 PM, dan (ddp) <[email protected]> wrote: >>> On Mon, Apr 23, 2012 at 8:52 AM, C. L. Martinez <[email protected]> >>> wrote: >>>> Because for example for the sample that I have exposed... How can I >>>> use active response to block access to certain port that has been >>>> started by a daemon without admin permission?? >>>> >>> >>> Your example doesn't offer any specific port, but instead a list of >>> ports. You could handle this in the script though. When rule 140123 >>> fires, run portcheck.pl. portcheck.pl then goes through the listening >>> ports and adds firewall rules blocking access to all non-approved >>> (hardcoded maybe, or a list updated via puppet, whatever) ports. >>> >> >> That is my question: where do I need to put this portcheck.sh script, >> in ossec.conf or in the rule defintion??
