Hi Ralph,

You are welcome.

Yes, I did, I can confirm I was seeing entries on active-response.log and
the *firewall-dns-query-drop.sh* was triggering.

Let me see if I can keep helping you, by "stand-alone" you mean you only
have an OSSEC Manager running isn't it?
Just to be sure, at active-response block, "*local*" means "agents", and "
*server*" means that the AR will work for the OSSEC Manager, you could
check the documentation here
<http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.active-response.html#element-location>
which
probably explain everything better than myself :D

Copy-pasting from OSSEC Docs:


> *location*Where the command should be executed. You have four options:
> Allowed:
>
local: on the agent that generated the event
> server: on the OSSEC server
> defined-agent: on a specific agent (when using this option, you need to
> set the agent_id to use)
> all: or everywhere.


"local" setting will run the command only on agent side, never on Manager
side.

Hope it helps.

Cheers,
Pedro.

On Tue, Mar 14, 2017 at 2:04 PM, Ralph Durkee <ralph.dur...@gmail.com>
wrote:

> Thanks for trying it.
>
>    - Permissions on the script are good.
>
> # ll active-response/bin/firewall-dns-query-drop.sh
> -rwxr-x--- 1 root ossec 5758 Mar 10 07:58 active-response/bin/firewall-
> dns-query-drop.sh*
>
>    - I removed the <level> 8 tag.
>    - This is a stand-alone install so I don't think the server tag is
>    needed.
>
> Just to confirm that when you say it worked, the active-response.log shows
> an attempt to run  the script active-response/bin/firewall-
> dns-query-drop.sh?
>
> I did a test where I copied firewall-drop.sh to firewall-dns-query-drop.sh
> just to eliminate any concern that the issue might be with the script, but
> the script did not get invoked. It would generate an error, because an IP
> address isn't passed, but  I'm convinced it's something in the
> ossec-server.conf file.   I'm going to try it out on a clean Cent-OS 7
> system next.
>
> Thanks for the help,
>
> -- Ralph
>
>
> On Tuesday, March 14, 2017 at 8:13:31 AM UTC-4, Pedro Sanchez wrote:
>>
>> Hi Ralph,
>>
>> I have been testing your configuration, everything works great on my
>> environment (using standard firewall-drop.sh).
>>
>> Few tips which may help you:
>>
>>
>>    - Active-response block: you are using *rules_id *and *level*, since
>>    your rule will have same level no matter what, maybe you could remove
>>    <level>
>>    - Active-response block: You defined "local" which will only trigger
>>    active-response to remote agents, in case you want to trigger
>>    active-response at the manager, you could use "*server*", or both, "
>>    *server,local*" ("*all*" option is not working on my environment)
>>    - Ruleset: I did verify your decoders and rules, still, you could use
>>    bin/ossec-logtest tool and paste your event, just to confirm they are
>>    working properly on your installation
>>    - You could run the active-response manually by running: 
>> *bin/agent_control
>>    -b ip_address_to_block -f firewall-dns-query-drop5400 -u agent_id*
>>    - Permissions: Confirm your scripts have permissions to root:ossec
>>    and rwxr-x---
>>
>>
>> Hope it helps, best regards,
>> Pedro Sanchez.
>>
>>
>>
>>
>>
>>
>>
>>
>> On Monday, March 13, 2017 at 3:11:50 PM UTC+1, Ralph Durkee wrote:
>>>
>>>
>>> I’m getting heavy flurries of bogus DNS queries to non-recursive,
>>> authoritative DNS server. The traffic comes from a large spread of src ip
>>> address, so it’s obviously mostly spoofed. The queries are all denied, so
>>> it’s almost no risk, except that it heavily overloads the log management,
>>> it’s annoying, and could cause some more serious logs to get missed in the
>>> flurry. The rate of traffic is about 3 – 20 queries per second, and a
>>> flurry often runs for several hours. The host name is random, but the
>>> domain names are pretty static within a single flurry. So I’ve written a
>>> named decoder to extract the host name as ‘user’, and rules to alert on the
>>> flurry of denied queries. The decoder and alerts are working fine. I also
>>> have an active response script which adds an iptable rule to drop queries
>>> for a specific denied domain name. The script works fine when run by hand.
>>> Its based on the existing active-response/bin/firewall-drop.sh so that
>>> it uses the same locking directory, so that the two scripts will co-operate
>>> on locking, The one thing that’s not working that when the alert is
>>> generated the script doesn't get run. The script is in the
>>> active-response/bin with rx permissions. There’s no error log in the
>>> ossec.log and there’s not even an indication that it started to run in the
>>> active-responses.log. The first thing the script does is generate a log to
>>> active-response.log similar to the script it’s based on. However the script
>>> is not run when the alert is generated for rule 100002.
>>>
>>>
>>> *Sample traffic:*
>>>
>>>
>>> Mar 13 01:42:45 net19 named[6147]: client 31.150.218.239#6173 (
>>> odcdavcxkvin.games.yuanyou8.com): query (cache) '
>>> odcdavcxkvin.games.yuanyou8.com/A/IN' denied
>>>
>>> Mar 13 01:42:45 net19 named[6147]: client 29.153.55.216#28938 (
>>> qbwrypybuhuv.games.yuanyou8.com): query (cache) '
>>> qbwrypybuhuv.games.yuanyou8.com/A/IN' denied
>>>
>>> Mar 13 01:42:46 net19 named[6147]: client 126.122.141.86#34892 (
>>> azkhczkxcpgh.games.yuanyou8.com): query (cache) '
>>> azkhczkxcpgh.games.yuanyou8.com/A/IN' denied
>>>
>>> Mar 13 01:42:46 net19 named[6147]: client 72.226.226.185#29311 (
>>> wfgdglqlqbwd.games.yuanyou8.com): query (cache) '
>>> wfgdglqlqbwd.games.yuanyou8.com/A/IN' denied
>>>
>>>
>>> *Sample alerts:*
>>>
>>>
>>> ** Alert 1489383774.343817: - local,syslog,
>>>
>>> 2017 Mar 13 01:42:54 net19->/var/log/named.log
>>>
>>> Rule: 12108 (level 4) -> 'Invalid Query cache denied.'
>>>
>>> Src IP: 60.50.34.62
>>>
>>> Mar 13 01:42:53 net19 named[6147]: client 60.50.34.62#39074 (
>>> uburatmbgrov.games.yuanyou8.com): query (cache) '
>>> uburatmbgrov.games.yuanyou8.com/A/IN' denied
>>>
>>>
>>> ** Alert 1489383774.344139: - local,syslog,
>>>
>>> 2017 Mar 13 01:42:54 net19->/var/log/named.log
>>>
>>> Rule: 12108 (level 4) -> 'Invalid Query cache denied.'
>>>
>>> Src IP: 42.76.121.217
>>>
>>> Mar 13 01:42:54 net19 named[6147]: client 42.76.121.217#52337 (
>>> eropovspwfyl.games.yuanyou8.com): query (cache) '
>>> eropovspwfyl.games.yuanyou8.com/A/IN' denied
>>>
>>>
>>> ** Alert 1489383774.344465: - local,syslog,
>>>
>>> 2017 Mar 13 01:42:54 net19->/var/log/named.log
>>>
>>> Rule: 100002 (level 8) -> 'Multiple denied DNS queries in a short time.'
>>>
>>> Src IP: 96.174.127.167
>>>
>>> Mar 13 01:42:54 net19 named[6147]: client 96.174.127.167#16133 (
>>> qtoncngdqvcv.games.yuanyou8.com): query (cache) '
>>> qtoncngdqvcv.games.yuanyou8.com/A/IN' denied
>>>
>>> Mar 13 01:42:54 net19 named[6147]: client 42.76.121.217#52337 (
>>> eropovspwfyl.games.yuanyou8.com): query (cache) '
>>> eropovspwfyl.games.yuanyou8.com/A/IN' denied
>>>
>>> Mar 13 01:42:53 net19 named[6147]: client 60.50.34.62#39074 (
>>> uburatmbgrov.games.yuanyou8.com): query (cache) '
>>> uburatmbgrov.games.yuanyou8.com/A/IN' denied
>>>
>>> Mar 13 01:42:53 net19 named[6147]: client 31.138.210.77#3939 (
>>> izilszqtqvav.games.yuanyou8.com): query (cache) '
>>> izilszqtqvav.games.yuanyou8.com/A/IN' denied
>>>
>>> Mar 13 01:42:53 net19 named[6147]: client 44.157.160.105#63395 (
>>> afmxgjqfelwj.games.yuanyou8.com): query (cache) '
>>> afmxgjqfelwj.games.yuanyou8.com/A/IN' denied
>>>
>>> Mar 13 01:42:53 net19 named[6147]: client 1.58.85.178#22054 (
>>> olshwnafqhihgvkn.games.yuanyou8.com): query (cache) '
>>> olshwnafqhihgvkn.games.yuanyou8.com/A/IN' denied
>>>
>>> Mar 13 01:42:53 net19 named[6147]: client 103.7.105.111#13695 (
>>> yzunwbizupyr.games.yuanyou8.com): query (cache) '
>>> yzunwbizupyr.games.yuanyou8.com/A/IN' denied
>>>
>>> Mar 13 01:42:52 net19 named[6147]: client 34.96.205.55#4089 (
>>> atkdwdixmfkl.games.yuanyou8.com): query (cache) '
>>> atkdwdixmfkl.games.yuanyou8.com/A/IN' denied
>>>
>>> Mar 13 01:42:52 net19 named[6147]: client 70.94.229.18#28624 (
>>> oletkhwbodyn.games.yuanyou8.com): query (cache) '
>>> oletkhwbodyn.games.yuanyou8.com/A/IN' denied
>>>
>>> Mar 13 01:42:51 net19 named[6147]: client 47.224.195.250#8636 (
>>> axcpajunsfoj.games.yuanyou8.com): query (cache) '
>>> axcpajunsfoj.games.yuanyou8.com/A/IN' denied
>>>
>>> Mar 13 01:42:51 net19 named[6147]: client 96.243.170.64#27176 (
>>> ahefilwzohgb.games.yuanyou8.com): query (cache) '
>>> ahefilwzohgb.games.yuanyou8.com/A/IN' denied
>>>
>>>
>>> *Active response configuration. *
>>>
>>>
>>> <!-- RALPH: Customized script based on firewall-drop.sh
>>>
>>> uses same locking, drops DNS queries with specific domain name.
>>>
>>> -->
>>>
>>> <command>
>>>
>>> <name>firewall-dns-query-drop</name>
>>>
>>> <executable>firewall-dns-query-drop.sh</executable>
>>>
>>> <expect>user</expect>
>>>
>>> <timeout_allowed>yes</timeout_allowed>
>>>
>>> </command>
>>>
>>>
>>> . . .
>>>
>>> <active-response>
>>>
>>> <command>firewall-dns-query-drop</command>
>>>
>>> <location>local</location>
>>>
>>> <rules_id>100002</rules_id>
>>>
>>> <level>8</level>
>>>
>>> <timeout>5400</timeout>
>>>
>>> </active-response>
>>>
>>>
>>>
>>>
>>> *The decoder:*
>>>
>>>
>>> # *cat etc/decoders.d/local_named.xml*
>>>
>>>
>>>
>>> <!--- RALPH: Adjust decoder to catch domain name.
>>>
>>> SAMPLES:
>>>
>>>
>>> Mar 7 09:43:19 net19 named[6147]: client 53.144.157.215#61687 (
>>> qhctgjulipqfchyv.qiyering.com): query (cache) '
>>> qhctgjulipqfchyv.qiyering.com/A/IN' denied
>>>
>>>
>>> Doesn't make sense to put the domain name in "user", except only srcip
>>> and user
>>>
>>> are passed to active scripts, and have a <same_xxx> capability.
>>>
>>> -->
>>>
>>>
>>> <decoder name="named-query-denied">
>>>
>>> <parent>named</parent>
>>>
>>> <prematch>denied$</prematch>
>>>
>>> <regex>client (\S+)#\d+\s+\((\S+)\): query </regex>
>>>
>>> <order>srcip,user</order>
>>>
>>> </decoder>
>>>
>>>
>>> *new rules in rules/local_rules.xml*
>>>
>>>
>>> <!-- Was level 0, now it needs to aggregate to an automated response.
>>>
>>> -->
>>>
>>> <rule id="12108" level="4" overwrite="yes">
>>>
>>> <if_sid>12100</if_sid>
>>>
>>> <match>query (cache) denied|: query (cache)</match>
>>>
>>> <description>Invalid Query cache denied.</description>
>>>
>>> </rule>
>>>
>>>
>>> <rule id="100002" level="8" frequency="10" timeframe="60" >
>>>
>>> <if_matched_sid>12108</if_matched_sid>
>>>
>>> <description>Multiple denied DNS queries in a short time.</description>
>>>
>>> <info></info>
>>>
>>> </rule>
>>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to