I think I figured out my problem: The presence of <level> means *any* event of this level or higher triggers the active-response. Regardless of the <rules_id>
I misunderstood that it would be 'only these rules with these IDs, at level 10 or higher'. Let me know if I'm right :) Thanks! On Thursday, February 14, 2013 8:25:10 AM UTC+11, [email protected] wrote: > > Hello, > > I have active-response enabled in ossec.conf of the server as follows: > > > <active-response> > <command>firewall-drop</command> > <location>all</location> > <level>10</level> > <rules_id>31151,5712,104130</rules_id> > <timeout>600</timeout> > </active-response> > > > It is correctly blocking IPs with firewall-drop in response to rules > 31151,5712, 104130 as configured above. > > Problem: > > I am *also* seeing IPs getting blocked with the firewall-drop on the > agents, when those IPs are only triggering 1003 rules (Rule: 1003 fired > (level 13) -> "Non standard syslog message (size too large).") > > The IP is definitely not triggering any other rules - grepping for the IP > in /var/ossec/logs/alerts/alerts.log on the master, only shows 3 cases of > triggering 1003, and the IP is then blocked in > /var/ossec/logs/active-responses.log 2 seconds later, despite > active-response only being configured to respond to rules > 31151,5712,104130 > > What am I missing? Is 1003 automatically blocked? > > I am running OSSEC 2.7 on Ubuntu 12.04 LTS hosts, with one server and 7 > agents. Let me know if you require any more information > > Thanks for any help! > > Mig > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
