On Tue, May 7, 2013 at 12:31 PM, Ali man <[email protected]> wrote: > Can someone explain how does ossec agent in an active response config > detects or responds to events (e.g scan attempt on web-server 404 status > code). > > I know that the below xml block at the server ends fire up the response on > agent end. But all the rules are kept in /root dir not the usual > installation dir for the agent. Apart from it monitoring the apache access
The agents do not have the rules. The rules go on the server only. > logs it doesn't have a script or regex that tells us what status code to > check. > The agents send the log messages to the server. The server does the analysis. > Is it something that is shared on the fly between client and server using > udp port 1514? Kindly help me understand it. > !-- Active response to block http scanning --> > <active-response> > <command>route-null</command> > <location>local</location> > <!-- Multiple web server 400 error codes from same source IP --> > <rules_id>31151</rules_id> > <timeout>600</timeout> > </active-response> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
