Here's how I have mine setup:
In ossec.conf I've added the following
<command>
<name>arptest</name>
<executable>arptest.pl</executable>
<expect>srcip</expect>
</command>
<active-response>
<command>arptest</command>
<location>server,defined-agent</location>
<agent_id>002</agent_id>
<rules_id>7201,7202,7204,7206</rules_id>
</active-response>
The <rules_id> tag specifies which rules trigger the arptest command.
<agent_id> is just the agent I want these run on.
On Wed, Mar 17, 2010 at 9:12 PM, andre pawlowski <sq...@h4des.org> wrote:
> Hi guys,
>
> I've written an own active-response script. But this script should only
> be activated by some local rules. Is there any option for rules to use
> an alternate active-response script?
>
> Thanks in advance.
>
> Andre
>
