Hi Aksha and sorry for the late response,
I will try to help you solve this issue. I need some information to test
your use case and see what is happening.
First of all, could you tell me which Wazuh version you are using? Also, it
would be fine if you send the active response script you are
Hi Aksha and sorry for the late response,
I will try to help you solve this issue. I need some information to test
your use case and see what is happening.
First of all, could you tell me which Wazuh version you are using? Also, it
would be fine if you send the active response script you are
Hi,
My apologies for the late response. You could start creating decoders
following this example:
^\w+,\w+,\w+.
ossec_custom
\w+,(\w+),(\w+.\w+.\w+.\w+):(\d+),
info, srcip, srcport
ossec_custom
(\w+.\w+.\w+.\w+):(\d+),(\w+),
dstip, dstport, user
Ossec logtest output:
Type one
Hi,
We are using AlienVault Version: OSSIM 5.7.4
For scripts we are referring to : https://github.com/jonschipp/nsm-tools/
The script is getting executed but we are not receiving FILENAME parameter
when RULE ID 554 is getting triggered.
Thanks in advance.
On Thu, Mar 3, 2022 at 5:45 PM Manuel
Hi again,
Which Wazuh version are you using? I suppose that you are using *4.1* or a
previous version as from *4.2*, active response custom scripts work
differently.
I have been testing your active response configuration and scripts are
being executed properly, as you said.
As you can see in