Thanks for this fast response, I'll answer inline.
On 21.07.2012 16:52, dan (ddp) wrote:
> 1. Is there an option I can set to enable active_response but not
actually block the attacker? Some kind of file or log with messages
like: "OSSEC would have added the IP 123.123.123.123 to your
iptables/host.deny". I would like this to see before enabling it and
potentially block a customer.
>
Create an AR script that just logs that information. `echo $@ >>
/var/log/almost-ar.log`
Ok, I'll try this and see what I have to tweak.
> 3. Speaking of the webUI. I find it very disturbing that it is still
listed at the OSSEC download page (and hosted on ossec.net
<http://ossec.net>) and not the least marked as deprecated or not
supported. There seem to be several patches in the archives but
nowhere else.
I've been told it's being worked on.
Good to hear, but I'll try the patches from this list (if I can find
them again) nevertheless.
> last note: the first steps with OSSEC page should be updated because
some links are not working anymore ( I would liked to have seen a
video tutorial or some more first-steps documentation.
>
Do you have a video to share? How exciting is a video of command line
activity? I don't think that page is part of the documentation I work
on, but I'll double check. Maybe someone with access will fix it.
I'll find it better if there is a audio commentary to the questions of
the install script. It helps to understand the different features and
how they are connected. But that may be just my view as a junior sysadmin.
Regards
Christian
