This is one example rule.
<rule id="20111" level="8" frequency="1" timeframe="3600" ignore="60">
<if_matched_sid>20105</if_matched_sid>
<same_user/>
<description>Multiple phishingattempts with known bad
links</description>
</rule>
<command>
<name>reject-sender</name>
<executable>reject-sender.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<!-- dummy
-->
<command>reject-sender</command>
<location>defined-agent</location>
<agent_id>032</agent_id>
<level>8</level>
<timeout>7200</timeout>
<rules_id>20110, 20111, 20112, 20117</rules_id>
</active-response>
After fiddling with the timeout, I found out that the rule can fire as
often as the ignore field allows.
But it will only allow one single user at a time to be fired as an active
response.
I assume that the system is all about ipadresses?
Is there a way around this?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
