[ossec-list] Active Response not activating

Steven Stern Wed, 27 Oct 2010 11:01:52 -0700

OSSEC 2.5.1, Fedora 13

In /var/ossec/etc/osse.conf, I have


<command>
 <name>firewall-drop</name>
 <executable>firewall-drop.sh</executable>
 <expect>srcip</expect>
 <timeout_allowed>yes</timeout_allowed>
</command>

<active-response>
 <command>firewall-drop</command>
 <location>local</location>
 <rules_id>31151</rules_id>
 <level>8</level>
</active-response>

My logs show multiple 31151 alerts. For example:
ossec-alerts-23.log:Rule: 31151 (level 10) -> 'Mutiple web server 400
error codes from same source ip.'
ossec-alerts-25.log:Rule: 31151 (level 10) -> 'Mutiple web server 400
error codes from same source ip.'

As far as I can tell, the active response has  never been triggered.
There's no active-response log in /var/ossec/logs and no logging of
firewall changes.

What am I missing?

[ossec-list] Active Response not activating

Reply via email to