On Sat, Nov 2, 2013 at 8:27 AM, Gerard Petersen <[email protected]> wrote: > Hi All, > > I'm trying to get notifications for AR Firewall drops but I can't get it to > work. The easiest (but not preferred) way seemed to edit file > "firewall_rules.xml" and change this: > > <rule id="4101" level="5"> > <if_sid>4100</if_sid> > <action>DROP</action> > <options>no_log</options> > <description>Firewall drop event.</description> > <group>firewall_drop,</group> > </rule> >
Does the above trigger when the logs come in? Can you provide a sample of the logs? > Into this: > > <rule id="4101" level="8"> > <if_sid>4100</if_sid> > <action>DROP</action> > <description>Firewall drop event.</description> > <group>firewall_drop,</group> > </rule> > > Then, amazingly, the active response stops working completely. The preferred > way, as I see it, would be to add a new rule and if_sid from the 4101 with a > level=8. > > <group name="firewall,"> > <rule id="100201" level="8"> > <if_sid>4101</if_sid> > <description>TEST - Firewall DROP.</description> > </rule> > </group> <!-- firewall, --> > > But no luck on either setup. Can anybody see what I do not? > > Thanx a lot. > > Kind regards, > > Gerard. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
