Hi All,
I'm trying to get notifications for AR Firewall drops but I can't get it to
work. The easiest (but not preferred) way seemed to edit file
"firewall_rules.xml" and change this:
<rule id="4101" level="5">
<if_sid>4100</if_sid>
<action>DROP</action>
<options>no_log</options>
<description>Firewall drop event.</description>
<group>firewall_drop,</group>
</rule>
Into this:
<rule id="4101" level="8">
<if_sid>4100</if_sid>
<action>DROP</action>
<description>Firewall drop event.</description>
<group>firewall_drop,</group>
</rule>
Then, amazingly, the active response stops working completely. The
preferred way, as I see it, would be to add a new rule and if_sid from the
4101 with a level=8.
<group name="firewall,">
<rule id="100201" level="8">
<if_sid>4101</if_sid>
<description>TEST - Firewall DROP.</description>
</rule>
</group> <!-- firewall, -->
But no luck on either setup. Can anybody see what I do not?
Thanx a lot.
Kind regards,
Gerard.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
