[ossec-list] Active-response firewall-drop server IP instead of agent IP when fired an agent rule
Hi everyone, here is my ossec.conf on the server: firewall-drop server,all 31152 600 30,60,90,120,150 rule 31152 is: 31103 Multiple SQL injection attempts from same souce ip. attack,sql_injection, After i tried to SQL injection to the agent using agent IP address, the rule 31152 fired, i still can connect to the agent IP, but i can't connect to the server IP, and i found out that i was blocked away from the server IP. If i change server, all into all, i was not blocked anymore by either server or agent. So are there anything happened to my config? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: I'm unclear why my rule is not matching...
Hi Ian, try this rule: 18105 192.168.1.120 ignore 192.168.1.120. ossec-logtest: 2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft- Windows-Security-Auditing: (no user): no domain: leaf-1: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 192.168.1.120 Source Port: 39740 Destination Address: 192.168.1.255 Destination Port: 32414 Protocol: 17 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13 **Phase 1: Completed pre-decoding. full event: '2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 192.168.1.120 Source Port: 39740 Destination Address: 192.168.1.255 Destination Port: 32414 Protocol: 17 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' hostname: 'ip-10-0-0-10' program_name: 'WinEvtLog' log: 'Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 192.168.1.120 Source Port: 39740 Destination Address: 192.168.1.255 Destination Port: 32414 Protocol: 17 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' **Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_FAILURE' id: '5152' extra_data: 'Microsoft-Windows-Security-Auditing' dstuser: '(no user)' system_name: 'leaf-1' **Phase 3: Completed filtering (rules). Rule id: '11' Level: '0' Description: 'ignore 192.168.1.120.' I hope it helps. On Monday, July 3, 2017 at 5:28:04 PM UTC+2, Ian Brown wrote: > > I believe I've figured it out -- I think the decoder isn't matching the > full log string and is thus stripping the ip address information. Also > after looking at the regex in the decoder, I've discovered that it doesn't > even match against the first three example strings provided: > > Here's an example from the comments (After prematch): > Security: AUDIT_FAILURE(0x02A9): Security: SYSTEM: NT AUTHORITY: The > logon to account: xyz by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from > workstation: la failed. The error code was: 3221225572 > > yet, the regex is: > ^\.+: (\w+)\((\d+)\): (\.+): > > The second (\d+) will only match against numbers, so (0x02A9) will > never match. It should be ([0-9A-Fx]+) > > Also, why is it escaping the period at the beginning and at the end? > shouldn't the regex be: > ^.+: (\w+)\((\d+)\): (.+): > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: OSSEC rule match time and timeframe
Hi Fredrik, do you want to ignore the rule 5501 if it is fired by your script?. is it not enough with the hostname and the user?. Regards. On Monday, July 3, 2017 at 12:10:18 PM UTC+2, Fredrik Hilmersson wrote: > > Hello, > > Lets say I have a script which runs once every half an hour. With a > latency difference in about 10-20 seconds. > Would it be possible to match the following: > > 1. Time > 2. Hostname > 3. Username > > The reason I prefer more than a single match, i.e only time is to not by > mistake miss an actual event. > > > > 5501 > **:30 > > agent-hostname > ssh-user > > no_email_alert > > Ignore rule 5501 for host > > > > Kind regards, > Fredrik > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
