-
Notifications
You must be signed in to change notification settings - Fork 26
/
Copy pathactive_response_logic.html
180 lines (148 loc) · 7.88 KB
/
active_response_logic.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Active-response Internal Logic Flow — OSSEC</title>
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../_static/bootstrap-sphinx.css" type="text/css" />
<link rel="stylesheet" href="../_static/bootstrap-3.2.0/css/bootstrap.min.css" type="text/css" />
<link rel="stylesheet" href="../_static/bootstrap-3.2.0/css/bootstrap-theme.min.css" type="text/css" />
<link rel="stylesheet" href="../_static/bootstrap-sphinx.css" type="text/css" />
<link rel="stylesheet" href="../_static/parallax.css" type="text/css" />
<script id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
<script src="../_static/jquery.js"></script>
<script src="../_static/underscore.js"></script>
<script src="../_static/doctools.js"></script>
<script src="../_static/js/jquery-1.11.0.min.js"></script>
<script src="../_static/js/jquery-fix.js"></script>
<script src="../_static/bootstrap-3.2.0/js/bootstrap.min.js"></script>
<script src="../_static/bootstrap-sphinx.js"></script>
<link rel="author" title="About these documents" href="../about.html" />
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<meta charset='utf-8'>
<meta http-equiv='X-UA-Compatible' content='IE=edge,chrome=1'>
<meta name='viewport' content='width=device-width, initial-scale=1.0, maximum-scale=1'>
<meta name="apple-mobile-web-app-capable" content="yes">
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-138780766-1"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-138780766-1');
</script>
<script type="text/javascript">
var _ss = _ss || [];
_ss.push(['_setDomain', 'https://koi-3QNN51VTHS.marketingautomation.services/net']);
_ss.push(['_setAccount', 'KOI-4APYNOYP8O']);
_ss.push(['_trackPageView']);
window._pa = window._pa || {};
// _pa.orderId = "myOrderId"; // OPTIONAL: attach unique conversion identifier to conversions
// _pa.revenue = "19.99"; // OPTIONAL: attach dynamic purchase values to conversions
// _pa.productId = "myProductId"; // OPTIONAL: Include product ID for use with dynamic ads
(function() {
var ss = document.createElement('script');
ss.type = 'text/javascript'; ss.async = true;
ss.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + 'koi-3QNN51VTHS.marketingautomation.services/client/ss.js?ver=2.4.0';
var scr = document.getElementsByTagName('script')[0];
scr.parentNode.insertBefore(ss, scr);
})();
</script>
</head><body>
<div id="navbar" class="navbar navbar-inverse navbar-default ">
<div class="container">
<div class="navbar-header">
<!-- .btn-navbar is used as the toggle for collapsed navbar content -->
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".nav-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="../index.html"><img src="../_static/ossec_logo_bare_small.png">
OSSEC</a>
<span class="navbar-text navbar-version pull-left"><b>3.6.0</b></span>
</div>
<div class="collapse navbar-collapse nav-collapse">
<ul class="nav navbar-nav">
<li><a href="https://www.ossec.net/about/">About</a></li>
<li><a href="https://www.ossec.net/docs/">Documentation</a></li>
<li><a href="https://www.ossec.net/register-for-ossec/">Get OSSEC+</a></li>
<li><a href="https://www.ossec.net/downloads/">Downloads</a></li>
<li class="dropdown globaltoc-container">
<a role="button"
id="dLabelGlobalToc"
data-toggle="dropdown"
data-target="#"
href="../index.html">Site <b class="caret"></b></a>
<ul class="dropdown-menu globaltoc"
role="menu"
aria-labelledby="dLabelGlobalToc"><ul>
<li class="toctree-l1"><a class="reference internal" href="../docs/manual/index.html">Manual</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../docs/faq/index.html">Frequently asked questions</a></li>
<li class="toctree-l1"><a class="reference internal" href="../docs/cookbooks/index.html">User submitted Cookbooks</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../docs/development/build/index.html">Build, compile, and not much more</a></li>
<li class="toctree-l1"><a class="reference internal" href="../docs/development/oRFC/index.html">oRFC:</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../docs/syntax/index.html">Syntax and Options</a></li>
<li class="toctree-l1"><a class="reference internal" href="../docs/formats/index.html">Output Formats</a></li>
<li class="toctree-l1"><a class="reference internal" href="../docs/programs/index.html">Man pages</a></li>
<li class="toctree-l1"><a class="reference internal" href="../docs/examples/index.html">Examples</a></li>
</ul>
</ul>
</li>
</ul>
<form class="navbar-form navbar-right" action="../search.html" method="get">
<div class="form-group">
<input type="text" name="q" class="form-control" placeholder="Search" />
</div>
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
</div>
<div class="container">
<div class="row">
<div class="col-md-12">
<div class="section" id="active-response-internal-logic-flow">
<h1>Active-response Internal Logic Flow<a class="headerlink" href="#active-response-internal-logic-flow" title="Permalink to this headline">¶</a></h1>
<p>This is taken directly from the documentation in the source.</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">OSSEC HIDS 0.6</span>
<span class="go">Copyright (c) 2004-2006 Daniel B. Cid <daniel.cid@gmail.com> <dcid@ossec.net></span>
</pre></div>
</div>
<p>How the active response works internally:</p>
<ul class="simple">
<li><p>Read active-response-doc.txt for details on configuration</p></li>
</ul>
<ol class="arabic simple">
<li><p>The analysis server receives an event that matches the active response policy.</p></li>
<li><p>The analysis server verifies that all required fields are provided with the event. It means that the analysis server was able to decode the event and extract the necessary information. One example is if it was able to extract the IP address from the event to send to the firewall to be blocked.</p></li>
<li><p>If the active response policy specify that the action must be executed locally on the AS, a message is sent to the execd directly.</p></li>
<li><p>If the active response policy specify that the action must be executed remotely, a message is sent to the “Active response forwarder” (remoted) to forward the event to the specified agent.</p></li>
</ol>
</div>
</div>
</div>
</div>
<footer class="footer">
<div class="container">
<p class="pull-right">
<a href="#">Back to top</a>
</p>
<p>
© Copyright 2010-2021, OSSEC Project Team.<br/>
OSSEC <b>ossec.net</b> domain owned and maintained by <a href="https://www.ossec.net" target="_blank">OSSEC Foundation</a><br/>
Home page graphics courtesy of <a href="https://pixabay.com" target="_blank">pixabay</a>
</p>
</div>
</footer>
</body>
</html>