Can someone explain how does ossec agent in an active response config
detects or responds to events (e.g scan attempt on web-server 404 status
code).
I know that the below xml block at the server ends fire up the response on
agent end. But all the rules are kept in /root dir not the usual
installation dir for the agent. Apart from it monitoring the apache access
logs it doesn't have a script or regex that tells us what status code to
check.
Is it something that is shared on the fly between client and server using
udp port 1514? Kindly help me understand it.
!-- Active response to block http scanning -->
<active-response>
<command>route-null</command>
<location>local</location>
<!-- Multiple web server 400 error codes from same source IP -->
<rules_id>31151</rules_id>
<timeout>600</timeout>
</active-response>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
