As far as I know, OSSEC is a Open Source HIDS. It's a "Detection System". I read in journals, it collect logs and flag any anomaly that had been found in a system ( e.g. Debian Server ) and do some action with it.
Some of the OSSEC's rules, there's like a possible way for prevent the anomaly for doing it action like, prevent brute force by blocking an IP for 600 seconds if the authentication failed 2 times.
My question, How can OSSEC handle a virus that already spreading ? OSSEC is just like detect the anomaly and do some action. What could ossec do if this condition were happen. Is there any logic I can put into ossec rules that disconnect all the Network or there is another way ?. Is it possible ?