Can someone explain how does ossec agent in an active response config detects or responds to events (e.g scan attempt on web-server 404 status code).
I know that the below xml block at the server ends fire up the response on agent end. But all the rules are kept in /root dir not the usual installation dir for the agent. Apart from it monitoring the apache access logs it doesn't have a script or regex that tells us what status code to check.
Is it something that is shared on the fly between client and server using udp port 1514? Kindly help me understand it.
!-- Active response to block http scanning -->
<active-response>
<command>route-null</command>
<location>local</location>
<!-- Multiple web server 400 error codes from same source IP -->
<rules_id>31151</rules_id>
<timeout>600</timeout>
</active-response>