[ossec-list] Active-response firewall-drop server IP instead of agent IP when fired an agent rule
Hi everyone, here is my ossec.conf on the server: firewall-drop server,all 31152 600 30,60,90,120,150 rule 31152 is: 31103 Multiple SQL injection attempts from same souce ip. attack,sql_injection, After i tried to SQL injection to the agent using agent IP address, the rule 31152 fired, i still can connect to the agent IP, but i can't connect to the server IP, and i found out that i was blocked away from the server IP. If i change server, all into all, i was not blocked anymore by either server or agent. So are there anything happened to my config? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Rule fired but active-response didn't work
My rule fired, i received alert emails too. But active-response doesn't work. Here is my active-response config in ossec.conf: firewall-drop all 100101 600 Here is my email alert: Received From: ubuntu-server->/var/log/nginx/access.log Rule: 100101 fired (level 9) -> “Multiple access in a short time from same IP” Portion of the log(s): 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:27 +0700] “GET / HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:26 +0700] “GET / HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:24 +0700] “GET / HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” After receiving this alert message, my IP hasn't been blocked and I still can send bunch of requests to the server. And when i checked /var/ossec/logs/active-responses.log, it was empty. No IP has been block. Can someone explain please? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Ossec Active-Response stop working after a few days
First, sorry for my bad english. I'm a newbie and i have used Ossec for about 2 weeks. Last week, active response still worked well. But after 2,3 days. I checked the /var/logs/auth.log and found that there was a ssh brute force attack from an IP to my server. But then i check active-response log and found that this IP doesn't got block by firewall-drop. Here is the active-response config from ossec.conf: all 5712 600 10,20,30 The rule 5712 remain the same as default in sshh_rules.xml Here is the auth.log: Jul 3 08:01:51 ubuntu-server sshd[17502]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:01:54 ubuntu-server sshd[17504]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:01:57 ubuntu-server sshd[17506]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:02:00 ubuntu-server sshd[17508]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:02:02 ubuntu-server sshd[17510]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:02:04 ubuntu-server sshd[17512]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:02:07 ubuntu-server sshd[17514]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:02:10 ubuntu-server sshd[17516]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:02:13 ubuntu-server sshd[17518]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:02:16 ubuntu-server sshd[17520]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:02:18 ubuntu-server sshd[17522]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] There is about a hundred of these logs all from the same IP, but this IP hasn't been blocked. Active-respones log show nothing about blocking this IP Is there anything happened to the active-response or the ossec? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
