You need to do the following steps:
1. Copy your script to the active response dir of ossec.
2. Register your script as an active response within ossec.conf:
myAR
myAR.sh
3. Define the criteria for your new AR in ossec.conf:
fmyAR
local
11, 12
Here's how I have mine setup:
In ossec.conf I've added the following
arptest
arptest.pl
srcip
arptest
server,defined-agent
002
7201,7202,7204,7206
The tag specifies which rules trigger the arptest command.
is just the agent I want these run on.
On Wed,
Hi guys,
I've written an own active-response script. But this script should only
be activated by some local rules. Is there any option for rules to use
an alternate active-response script?
Thanks in advance.
Andre