On Tue, May 27, 2014 at 1:28 AM, John S <[email protected]> wrote: > Hi All, > > I have rule 5712 configured on Ossec agents which blocks the Src Ipaddress . > > Is there any option to to receive Email Alert if a Specific Source ip is > blocked by firewall-drop.sh rule . I tried by writing a decoder but was > unsuccessful.
You could write a rule that checks for <if_sid>5712</if_sid> and <srcip>IP</srcip>. You'd have to make sure your active response configuration works with that rule as well. > Thanks > > > Regards > John > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
