Not sure if the issue was solved, but we had a similar problem, where the issue was with our access lists. The udp logs would be sent to the OSSEC server but no udp packets could be sent back to the client, so no reaction was sent. Is a response packet sent by OSSEC? Hope that helps!
Le lundi 3 juillet 2017 06:14:30 UTC-4, Fredrik Hilmersson a écrit : > > Hey, I had a similar issue with the active response not working as > intended. The way I solved it was to add the following to the ossec.conf > > <ossec_config> > > <client> > > <server-ip>ossec-server</server-ip> > > </client> > > <active-response> > > <repeated_offenders>30,60,120,240,480</repeated_offenders> > > </active-response> > > <global> > > <email_notification>no</email_notification> > > </global> > > kind regards, > Fredrik > > Den måndag 3 juli 2017 kl. 12:05:36 UTC+2 skrev Tunguyen: >> >> My rule fired, i received alert emails too. But active-response doesn't >> work. >> >> Here is my active-response config in ossec.conf: >> >> <active-response> >> <command>firewall-drop</command> >> <location>all</location> >> <rules_id>100101</rules_id> >> <timeout>600</timeout> >> </active-response> >> >> Here is my email alert: >> >> Received From: ubuntu-server->/var/log/nginx/access.log Rule: 100101 >> fired (level 9) -> “Multiple access in a short time from same IP” Portion >> of the log(s): >> >> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:27 +0700] “GET / HTTP/1.1” >> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 >> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >> >> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:26 +0700] “GET / HTTP/1.1” >> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 >> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >> >> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / HTTP/1.1” >> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 >> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >> >> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / HTTP/1.1” >> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 >> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >> >> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:24 +0700] “GET / HTTP/1.1” >> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 >> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >> >> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / HTTP/1.1” >> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 >> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >> >> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / HTTP/1.1” >> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 >> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” >> >> >> After receiving this alert message, my IP hasn't been blocked and I still >> can send bunch of requests to the server. And when i checked >> /var/ossec/logs/active-responses.log, it was empty. No IP has been block. >> Can someone explain please? >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
