Hi all. Has anyone headed down this road? We're intending to try to implement something like this:
1. syscheck runs on agents 2. agent submits its syscheck results to the Manager as usual 3. if the Manager sees a file has changed, Manager requests that the agent runs a command (with the changed filename as an argument) One can easily extract the obvious use case from the info above: Gee, /var/www/somewhere/foo is new (or was changed). Determine if it is malware! So far, due to the way Active Response works, there is no native way to have an agent do something if and only if the triggering log info originated at the agent itself (only run some command if *I* was the problem source). Best I can determine, we'd have to put a hack in the AR command that checks the srcip passed in with the IP addresses defined on the host. This kind of stinks because the script is still actually being fork+exec'd on ALL AGENTS before it short-circuits and exits on those hosts that do not match the origin srcip. Other thoughts would be appreciated. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
