Your <command> section looks OK. There may be issues with the <active- response> portion however. Try this:
<active-response> <disabled>no</disabled> <command>firewall-drop</command> <location>local</location> <rules_id>31151</rules_id> <level>8</level> (I don't think you even need this flag if you *only* want to trigger on the rule id 31151) </active-response> Let us know if that works. I think it might be the "disabled" flag that was keeping it back. On Oct 27, 10:44 am, Steven Stern <subscribed-li...@sterndata.com> wrote: > In /var/ossec/etc/osse.conf, I have > > <command> > <name>firewall-drop</name> > <executable>firewall-drop.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <active-response> > <command>firewall-drop</command> > <location>local</location> > <rules_id>31151</rules_id> > <level>8</level> > </active-response> > > My logs show multiple 31151 alerts. For example: > ossec-alerts-23.log:Rule: 31151 (level 10) -> 'Mutiple web server 400 > error codes from same source ip.' > ossec-alerts-25.log:Rule: 31151 (level 10) -> 'Mutiple web server 400 > error codes from same source ip.' > > As far as I can tell, the active response has never been triggered. > There's no active-response log in /var/ossec/logs and no logging of > firewall changes. > > What am I missing?