Nikita:
One thing that I have noticed is that it doesn't seem to match two
rules--example:
<active-response>
<command>host-deny</command>
<location>all</location>
<level>10</level>
<timeout>600</timeout>
</active-response>
<active-response>
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
It seems that only one of the rules gets fired: always seems to be the
last one defined in the ossec.conf file, but I can't determine which
one for sure. Anyway I've only seen it fire one at a time, not both
as you'd expect if you get, say a level 13 event. This is the same
behavior I've noticed for email alerts. Can anyone else confirm
this? It'd be nice to have it respond on multiple levels like this,
especially for granular email alerting. So that the same rule but
with different email addresses based on event level can both be fired.
I figured this out when I triggered a level 13 with the above two
rules active, and only the level 6 one fired. Then I noticed that the
email alerting rules was doing the same thing.
It's entirely possible I have something screwed up.
Emil
On Jun 18, 9:14 am, Nikita Byalsky <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello all,
>
> I have been testing OSSEC active response recently and my results
> indicate that using the 'all' location in an active response rule worked
> fine in v 1.4, but works as 'local' in 1.5 (ie, it only works on the
> machine that generated the alert and not across all machines).
>
> Any thoughts on this? I'm very curious to see if this is a bug or a
> misconfiguration on my part (although I have double-checked that my
> rules and commands do not have errors, and they work perfectly using
> defined-agent and server).
>
> Thanks for your time,
>
> - --
> Nikita Byalsky
>
> Information Security and Unix Systems
> University of Pennsylvania
> School of Arts and Sciences
> 3600 Market St., Suite 501
> Philadelphia, PA 19104
> 215.573.8772
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora -http://enigmail.mozdev.org
>
> iD8DBQFIWQoibHfl5jKHKasRAhAvAJ9CAb9w72vc6gDUIl6vpUhPbQNYRwCfSwCf
> oh/8Df8P30yMtrIs1c2xp2s=
> =uNAZ
> -----END PGP SIGNATURE-----
