Hi,
you are right Tony. The syntax for *ossec.conf* is not user-friendly. You
must think in the following way:
If it is a setting like yes/no, it will be overwritten if the parser found
the same setting below. Example:
<active-response>
<disabled>yes</disabled>
</active-response>
<active-response>
<disabled>no</disabled>
</active-response>
The final value will be 'no'.
However, if the setting is like a *list*, it will be append it if the
parser found the same setting below. Example:
<rootcheck>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
</rootcheck>
<rootcheck>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
</rootcheck>
The final value will be:
<rootcheck>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
</rootcheck>
This kind of merge only happens for some sections. For example, it doesn't
happen for *localfile, agentless, command, remote *and* syslog_output.*
I hope some day we can improve the syntax:
<active-responses>
<enabled>yes</enabled>
<white-list>10.10.10.10</white-list>
<active-response>
...
</active-response>
<active-response>
<localfiles>
<localfile>
...
<localfile>
<localfiles>
Regards.
On Thursday, April 27, 2017 at 11:27:49 PM UTC+2, Tony Bryant wrote:
>
> For anyone curious it was an incredibly simple fix :(. Apparently if any
> active-responses in your ossec.config file are disabled, it will disable
> all of the active responses. I had 4 enabled and 1 disabled, but because of
> that 1, they all were disabled.
>
> On Wednesday, April 19, 2017 at 3:42:46 PM UTC-7, Tony Bryant wrote:
>>
>> Hmm, ok, is this the only active-response config on your agent? I'm not
>> seeing any so that may be my problem. Is it one active-response config for
>> all (like the one you posted below should serve all future ARs)? And what I
>> posted was on the server. I'll give this a try though
>>
>> On Wednesday, April 19, 2017 at 2:54:55 PM UTC-7, dan (ddpbsd) wrote:
>>>
>>> On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant <cspit...@gmail.com>
>>> wrote:
>>> > How would I go about checking if AR is disabled on agents? Checking
>>> config
>>> > files and don't see anything about it. Running v2.8.3 for OSSEC. Also,
>>> this
>>> > on Ubuntu
>>> >
>>>
>>> I think it's enabled by default. This is all I have on one of my agents:
>>> <active-response>
>>> <disabled>no</disabled>
>>> <repeated_offenders>15,60,1440,86400</repeated_offenders>
>>> </active-response>
>>>
>>>
>>> > On Wednesday, April 19, 2017 at 2:21:47 PM UTC-7, dan (ddpbsd) wrote:
>>> >>
>>> >> On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams <tsinfo...@gmail.com>
>>> wrote:
>>> >> > Still no luck. Just to verify, the scripts should be located in
>>> >> > /var/ossec/active-response/bin/, correct? Unfortunately the logs
>>> aren't
>>> >> > really telling me anything either.
>>> >> >
>>> >>
>>> >> Yep, that's where they go.
>>> >> AR isn't disabled on the agents is it?
>>> >> What version of OSSEC? What OS/distro are you using? I don't think
>>> >> I'll be able to setup anything to try and recreate this.
>>> >>
>>> >>
>>> >>
>>> >> > On Wednesday, April 19, 2017 at 12:31:41 PM UTC-7, dan (ddpbsd)
>>> wrote:
>>> >> >>
>>> >> >> On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant <cspit...@gmail.com>
>>> >> >> wrote:
>>> >> >> > Yes test.sh is on the agent. Execd is also running and yep the
>>> alert
>>> >> >> > is
>>> >> >> > firing.
>>> >> >> >
>>> >> >>
>>> >> >> Try removing the level option and leave just the rules_id.
>>> >> >>
>>> >> >> > On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd)
>>> >> >> > wrote:
>>> >> >> >>
>>> >> >> >> On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant <
>>> cspit...@gmail.com>
>>> >> >> >> wrote:
>>> >> >> >> > Hello,
>>> >> >> >> >
>>> >> >> >> > I'm pretty new to OSSEC and I'm working to get some active
>>> >> >> >> > responses
>>> >> >> >> > working. I have tried a number of different active responses
>>> but
>>> >> >> >> > cannot
>>> >> >> >> > seem
>>> >> >> >> > to get it to work anywhere (not on the server or agents). I'm
>>> now
>>> >> >> >> > trying
>>> >> >> >> > a
>>> >> >> >> > simple AR to just log to active-responses.log but it still
>>> does
>>> >> >> >> > not
>>> >> >> >> > seem
>>> >> >> >> > to
>>> >> >> >> > be triggering. I do receive the email alert, but the AR does
>>> not
>>> >> >> >> > trigger.
>>> >> >> >> > Here is my config for the test active response:
>>> >> >> >> >
>>> >> >> >> > <command>
>>> >> >> >> >
>>> >> >> >> > <name>test</name>
>>> >> >> >> >
>>> >> >> >> > <executable>test.sh</executable>
>>> >> >> >> >
>>> >> >> >> > <expect></expect>
>>> >> >> >> >
>>> >> >> >> > <timeout_allowed>no</timeout_allowed>
>>> >> >> >> >
>>> >> >> >> > </command>
>>> >> >> >> >
>>> >> >> >> > (I've tried the location as local, all, and server but no
>>> luck)
>>> >> >> >> >
>>> >> >> >> > <active-response>
>>> >> >> >> >
>>> >> >> >> > <disabled>no</disabled>
>>> >> >> >> >
>>> >> >> >> > <command>test</command>
>>> >> >> >> >
>>> >> >> >> > <location>local</location>
>>> >> >> >> >
>>> >> >> >> > <rules_id>70999</rules_id>
>>> >> >> >> >
>>> >> >> >> > <level>0</level>
>>> >> >> >> >
>>> >> >> >> > </active-response>
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> > #!/bin/sh
>>> >> >> >> >
>>> >> >> >> > ACTION=$1
>>> >> >> >> > USER=$2
>>> >> >> >> > IP=$3
>>> >> >> >> > ALERTID=$4
>>> >> >> >> > RULEID=$5
>>> >> >> >> >
>>> >> >> >> > LOCAL=`dirname $0`;
>>> >> >> >> > cd $LOCAL
>>> >> >> >> > cd ../
>>> >> >> >> > PWD=`pwd`
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> > # Logging the call
>>> >> >> >> > echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >>
>>> >> >> >> > ${PWD}/../logs/active-responses.log
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> > The permissions on test.sh are correct with execute
>>> permission and
>>> >> >> >> > I
>>> >> >> >> > added
>>> >> >> >> > them to ossec group as all other ARs seemed to have that.
>>> >> >> >> >
>>> >> >> >>
>>> >> >> >> Is test.sh on the system you're trying to run the AR on?
>>> >> >> >> Is execd running on the system you're trying to run the AR on?
>>> >> >> >> Is 70999 firing?
>>> >> >> >> With rules_id, I don't think you'll need the level option set.
>>> >> >> >>
>>> >> >> >> >
>>> >> >> >> > Thanks!
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> > </active-response>
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> > --
>>> >> >> >> >
>>> >> >> >> > ---
>>> >> >> >> > You received this message because you are subscribed to the
>>> Google
>>> >> >> >> > Groups
>>> >> >> >> > "ossec-list" group.
>>> >> >> >> > To unsubscribe from this group and stop receiving emails from
>>> it,
>>> >> >> >> > send
>>> >> >> >> > an
>>> >> >> >> > email to ossec-list+...@googlegroups.com.
>>> >> >> >> > For more options, visit https://groups.google.com/d/optout.
>>> >> >> >
>>> >> >> > --
>>> >> >> >
>>> >> >> > ---
>>> >> >> > You received this message because you are subscribed to the
>>> Google
>>> >> >> > Groups
>>> >> >> > "ossec-list" group.
>>> >> >> > To unsubscribe from this group and stop receiving emails from
>>> it,
>>> >> >> > send
>>> >> >> > an
>>> >> >> > email to ossec-list+...@googlegroups.com.
>>> >> >> > For more options, visit https://groups.google.com/d/optout.
>>> >> >
>>> >> > --
>>> >> >
>>> >> > ---
>>> >> > You received this message because you are subscribed to the Google
>>> >> > Groups
>>> >> > "ossec-list" group.
>>> >> > To unsubscribe from this group and stop receiving emails from it,
>>> send
>>> >> > an
>>> >> > email to ossec-list+...@googlegroups.com.
>>> >> > For more options, visit https://groups.google.com/d/optout.
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> an
>>> > email to ossec-list+...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
