command
In a command configuration section, you define a command to be used by one or more active responses. It is possible to have as many commands as needed, but each one must be in their own separate <command> section.
Options
name
This field specifies the name of the command which is called in the active-response section.
Default value |
n/a |
Allowed values |
Any name |
use |
Required |
executable
This must be a file (with the execute permission set) inside /var/ossec/active-response/bin
.
You don’t need to provide the path.
Default value |
n/a |
Allowed values |
Any file name |
use |
Required |
expect
This is a list of zero or more names of extracted fields that are to be passed as parameters to the command. If any of the listed fields were not extracted in a certain instance, those field values would be passed as a dash (-
) instead of as no value at all. A good example is the firewall-block command which expects the srcip
field so it knows which IP to block. Multiple expected field names are comma separated.
Default value |
n/a |
Allowed values |
Names of extracted fields, like srcip or username, separated by commas if there is more than one. |
use |
Required |
Note
You can specify no fields by using <expect></expect>
. That is the valid setting when no options need to be passed to the active-response command.
timeout_allowed
If yes, this indicates that the command is stateful, and will be called again in a certain length of time and instructed to undo its original action.
Default value |
yes |
Allowed values |
yes/no |
Example of configuration
<!-- For Unix systems -->
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- For Windows systems -->
<command>
<name>win_route-null</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>