If you are using centralized configs anything for remote management, It would be better to increase the level that the deny rules trigger to something that you won't hit, like a level of 20. If you didable active response you can no longer remotely restart the ossec agent from the ossec server when it needs to reload a new OSSEC shared agent.conf file.
On Thu, Jul 26, 2012 at 6:58 AM, bw <[email protected]> wrote: > On 07/26/2012 10:13, shinu ak wrote: >> >> >> I would like to remove the deny rules which is called by ossesc, I have >> started ossec just for monitoring, want to remove such deny rules from >> ossec config file. >> >> > > You want to disable active response. > > Add this to /var/ossec/ossec.conf: > > <active-response> > <disabled>yes</disabled> > </active-response> -- Registered Linux User # 379282
