Hi, you are right Tony. The syntax for *ossec.conf* is not user-friendly. You must think in the following way:
If it is a setting like yes/no, it will be overwritten if the parser found the same setting below. Example: <active-response> <disabled>yes</disabled> </active-response> <active-response> <disabled>no</disabled> </active-response> The final value will be 'no'. However, if the setting is like a *list*, it will be append it if the parser found the same setting below. Example: <rootcheck> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> </rootcheck> <rootcheck> <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit> </rootcheck> The final value will be: <rootcheck> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit> </rootcheck> This kind of merge only happens for some sections. For example, it doesn't happen for *localfile, agentless, command, remote *and* syslog_output.* I hope some day we can improve the syntax: <active-responses> <enabled>yes</enabled> <white-list>10.10.10.10</white-list> <active-response> ... </active-response> <active-response> <localfiles> <localfile> ... <localfile> <localfiles> Regards. On Thursday, April 27, 2017 at 11:27:49 PM UTC+2, Tony Bryant wrote: > > For anyone curious it was an incredibly simple fix :(. Apparently if any > active-responses in your ossec.config file are disabled, it will disable > all of the active responses. I had 4 enabled and 1 disabled, but because of > that 1, they all were disabled. > > On Wednesday, April 19, 2017 at 3:42:46 PM UTC-7, Tony Bryant wrote: >> >> Hmm, ok, is this the only active-response config on your agent? I'm not >> seeing any so that may be my problem. Is it one active-response config for >> all (like the one you posted below should serve all future ARs)? And what I >> posted was on the server. I'll give this a try though >> >> On Wednesday, April 19, 2017 at 2:54:55 PM UTC-7, dan (ddpbsd) wrote: >>> >>> On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant <cspit...@gmail.com> >>> wrote: >>> > How would I go about checking if AR is disabled on agents? Checking >>> config >>> > files and don't see anything about it. Running v2.8.3 for OSSEC. Also, >>> this >>> > on Ubuntu >>> > >>> >>> I think it's enabled by default. This is all I have on one of my agents: >>> <active-response> >>> <disabled>no</disabled> >>> <repeated_offenders>15,60,1440,86400</repeated_offenders> >>> </active-response> >>> >>> >>> > On Wednesday, April 19, 2017 at 2:21:47 PM UTC-7, dan (ddpbsd) wrote: >>> >> >>> >> On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams <tsinfo...@gmail.com> >>> wrote: >>> >> > Still no luck. Just to verify, the scripts should be located in >>> >> > /var/ossec/active-response/bin/, correct? Unfortunately the logs >>> aren't >>> >> > really telling me anything either. >>> >> > >>> >> >>> >> Yep, that's where they go. >>> >> AR isn't disabled on the agents is it? >>> >> What version of OSSEC? What OS/distro are you using? I don't think >>> >> I'll be able to setup anything to try and recreate this. >>> >> >>> >> >>> >> >>> >> > On Wednesday, April 19, 2017 at 12:31:41 PM UTC-7, dan (ddpbsd) >>> wrote: >>> >> >> >>> >> >> On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant <cspit...@gmail.com> >>> >> >> wrote: >>> >> >> > Yes test.sh is on the agent. Execd is also running and yep the >>> alert >>> >> >> > is >>> >> >> > firing. >>> >> >> > >>> >> >> >>> >> >> Try removing the level option and leave just the rules_id. >>> >> >> >>> >> >> > On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) >>> >> >> > wrote: >>> >> >> >> >>> >> >> >> On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant < >>> cspit...@gmail.com> >>> >> >> >> wrote: >>> >> >> >> > Hello, >>> >> >> >> > >>> >> >> >> > I'm pretty new to OSSEC and I'm working to get some active >>> >> >> >> > responses >>> >> >> >> > working. I have tried a number of different active responses >>> but >>> >> >> >> > cannot >>> >> >> >> > seem >>> >> >> >> > to get it to work anywhere (not on the server or agents). I'm >>> now >>> >> >> >> > trying >>> >> >> >> > a >>> >> >> >> > simple AR to just log to active-responses.log but it still >>> does >>> >> >> >> > not >>> >> >> >> > seem >>> >> >> >> > to >>> >> >> >> > be triggering. I do receive the email alert, but the AR does >>> not >>> >> >> >> > trigger. >>> >> >> >> > Here is my config for the test active response: >>> >> >> >> > >>> >> >> >> > <command> >>> >> >> >> > >>> >> >> >> > <name>test</name> >>> >> >> >> > >>> >> >> >> > <executable>test.sh</executable> >>> >> >> >> > >>> >> >> >> > <expect></expect> >>> >> >> >> > >>> >> >> >> > <timeout_allowed>no</timeout_allowed> >>> >> >> >> > >>> >> >> >> > </command> >>> >> >> >> > >>> >> >> >> > (I've tried the location as local, all, and server but no >>> luck) >>> >> >> >> > >>> >> >> >> > <active-response> >>> >> >> >> > >>> >> >> >> > <disabled>no</disabled> >>> >> >> >> > >>> >> >> >> > <command>test</command> >>> >> >> >> > >>> >> >> >> > <location>local</location> >>> >> >> >> > >>> >> >> >> > <rules_id>70999</rules_id> >>> >> >> >> > >>> >> >> >> > <level>0</level> >>> >> >> >> > >>> >> >> >> > </active-response> >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > #!/bin/sh >>> >> >> >> > >>> >> >> >> > ACTION=$1 >>> >> >> >> > USER=$2 >>> >> >> >> > IP=$3 >>> >> >> >> > ALERTID=$4 >>> >> >> >> > RULEID=$5 >>> >> >> >> > >>> >> >> >> > LOCAL=`dirname $0`; >>> >> >> >> > cd $LOCAL >>> >> >> >> > cd ../ >>> >> >> >> > PWD=`pwd` >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > # Logging the call >>> >> >> >> > echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> >>> >> >> >> > ${PWD}/../logs/active-responses.log >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > The permissions on test.sh are correct with execute >>> permission and >>> >> >> >> > I >>> >> >> >> > added >>> >> >> >> > them to ossec group as all other ARs seemed to have that. >>> >> >> >> > >>> >> >> >> >>> >> >> >> Is test.sh on the system you're trying to run the AR on? >>> >> >> >> Is execd running on the system you're trying to run the AR on? >>> >> >> >> Is 70999 firing? >>> >> >> >> With rules_id, I don't think you'll need the level option set. >>> >> >> >> >>> >> >> >> > >>> >> >> >> > Thanks! >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > </active-response> >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > -- >>> >> >> >> > >>> >> >> >> > --- >>> >> >> >> > You received this message because you are subscribed to the >>> Google >>> >> >> >> > Groups >>> >> >> >> > "ossec-list" group. >>> >> >> >> > To unsubscribe from this group and stop receiving emails from >>> it, >>> >> >> >> > send >>> >> >> >> > an >>> >> >> >> > email to ossec-list+...@googlegroups.com. >>> >> >> >> > For more options, visit https://groups.google.com/d/optout. >>> >> >> > >>> >> >> > -- >>> >> >> > >>> >> >> > --- >>> >> >> > You received this message because you are subscribed to the >>> Google >>> >> >> > Groups >>> >> >> > "ossec-list" group. >>> >> >> > To unsubscribe from this group and stop receiving emails from >>> it, >>> >> >> > send >>> >> >> > an >>> >> >> > email to ossec-list+...@googlegroups.com. >>> >> >> > For more options, visit https://groups.google.com/d/optout. >>> >> > >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> >> > Groups >>> >> > "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, >>> send >>> >> > an >>> >> > email to ossec-list+...@googlegroups.com. >>> >> > For more options, visit https://groups.google.com/d/optout. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.