X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fusr%2Fshare%2Fdoc%2Fossec-hids%2Factive-response-internal.txt;fp=debian%2Fossec-hids%2Fusr%2Fshare%2Fdoc%2Fossec-hids%2Factive-response-internal.txt;h=bcb71c62b293deb7a36231994cb604cfc723a3f8;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b

diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/active-response-internal.txt b/debian/ossec-hids/usr/share/doc/ossec-hids/active-response-internal.txt
new file mode 100644
index 0000000..bcb71c6
--- /dev/null
+++ b/debian/ossec-hids/usr/share/doc/ossec-hids/active-response-internal.txt
@@ -0,0 +1,29 @@
+OSSEC HIDS 0.6
+Copyright (c) 2004-2006 Daniel B. Cid   <daniel.cid@gmail.com>
+                                        <dcid@ossec.net>
+                                        
+
+How the active response works internally:
+
+- Read active-response.txt for details on configuration
+
+
+1 - The analysis server receives an event that matches the
+    active response policy.
+
+2 - The analysis server verifies that all required fields
+    are provided with the event. It means that the analysis
+    server was able to decode the event and extract the
+    necessary information. One example is if it was able
+    to extract the IP address from the event to send to 
+    the firewall to be blocked.
+    
+3 - If the active response policy specify that the action
+    must be executed locally on the AS, a message is sent
+    to the execd directly.
+
+4 - If the active response policy specify that the action
+    must be executed remotely, a message is sent to the
+    "Active response forwarder" (remoted) to forward the
+    event to the specified agent.    
+