Hi Daniel, Daniel Cid wrote:
I still got notification from the agent host and that is all I want. Enable active-response on a production system seems a bit risky to me. It could easily cause the feeling of unreliable service to end-user.Hi Martin,If you disabled active response on the agent, there is *no way that any response
is going to be executed over there. When it is disabled, "ossec-execd" (the daemon responsible for executing response) will not even start.
ossec-execd seems still running.
If you look at/var/ossec/active-responses/ there should be no log file there (on the agent system).
Yes, the log file had not been updated since I disabled active-response.
ossecm 4137 0.0 0.0 1772 468 ? S 12:14 0:00 /var/ossec/bin/ossec-maild root 4141 0.0 0.0 1636 412 ? S 12:14 0:00 /var/ossec/bin/ossec-execd ossec 4145 0.1 0.1 1964 848 ? S 12:14 0:04 /var/ossec/bin/ossec-analysisd root 4149 0.0 0.0 1644 424 ? S 12:14 0:00 /var/ossec/bin/ossec-logcollector ossecr 4155 0.0 0.1 22332 708 ? Sl 12:14 0:01 /var/ossec/bin/ossec-remoted root 4161 1.5 0.1 1792 832 ? S 12:14 0:40 /var/ossec/bin/ossec-syscheckd*Can you do a "ps auwx |grep ossec" in the agent, just to confirm that execd is not
running? If it is, can you show us your config file?
Attached. Rgds. Martin
Related to the syscheck problem, increasing the frequency is going to help (andalso nicing it), but we will come up with a better solution to fix it in the next version.
Thanks. Martin
Thanks for the report! -- Daniel B. Cid dcid ( at ) ossec.netHi oahmet, oahmet wrote: > > Hi again, >> I just checked my 0.9 installed debian box and everything seems normal.> Alert e-mails are coming with correct date (timezone values). > Is it possible to send us a sample alert e-mail with full headers? > (just copy&paste from /var/spool/mail). Here you are: Return-path: <[EMAIL PROTECTED]> Date: Sun, 06 Aug 2006 01:42:49 +0000 (HKT) From: OSSEC HIDS <[EMAIL PROTECTED]> Subject: OSSEC Notification - localhost - Alert level 8 The above is from Fedora Core 5. Also, I think I found a typo at point 3.5 of the installation script. The script says syslog collector port is 514 but it seems to be 1514 instead. ossec-rem 621 ossecr 4u IPv4 10883705 UDP *:1514 > > PS: I'll also add /var/adm/messages to config file on solaris systems. > > Regards, > > Ahmet Ozturk. > > > > Ahmet Ozturk wrote: >> >> Hi Martin, >> >> Let me answer your first 2 questions: >> 1. I'm not sure if you can throttle the syscheck cpu usage directly >> (you may use nice command for a running process, but I don't know Thanks for the idea. I will modify the ossec-control script to reduce its priority. >> a way to automate this). syscheckd starts to run every 2 hours by >> default, >> you may want to change this. (see <frequency> and other options in >> ossec.conf) >> (http://www.ossec.net/en/manual.html#syscheck_options) The frequency is what I concern. I would prefer to have it run when my server is free. It could be some time early in the morning or when the CPU usage drops below certain level. >> >> 2. For active-response issue, please check the <location> option >> in ossec.conf file on the server. if it has the value "local" it will >> execute>> the active-response on the agent that generated the alert. If you want to>> use active-response only on your server, this value should be set to >> "analysis-server". >> (http://www.ossec.net/en/manual.html#active-response-config) Tried but I got the following error: [etc]# /etc/init.d/ossec restart Stopping OSSEC: [ OK ] Starting OSSEC: 2006/08/06 00:38:39 ossec-analysisd(1302): Invalid active response location: 'analysis-server'.2006/08/06 00:38:39 ossec-analysisd(1202): Configuration problem. Exiting. 2006/08/06 00:38:39 ossec-analysisd(1202): Configuration problem. Exiting.[FAILED] Rgds. Martin
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>myemail</email_to>
<smtp_server>mymailserver</smtp_server>
<email_from>[EMAIL PROTECTED]</email_from>
</global>
<syscheck>
<!-- Frequency that syscheck is executed - default every 2 hours -->
<frequency>7200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories
check_all="yes">/usr/local/etc,/usr/local/bin,/usr/local/sbin</directories>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution/DataStore</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution/ReportingEvents.log</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config/systemprofile/Local Settings</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
<global>
<white_list>127.0.0.1</white_list>
</global>
<remote>
<connection>syslog</connection>
</remote>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Active Response Config -->
<active-response>
<disabled>yes</disabled>
</active-response>
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<!-- not working
<location>analysis-server</location>
-->
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<!-- not working
<location>analysis-server</location>
-->
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<!--
<localfile>
<log_format>snort-fast</log_format>
<location>/var/log/snort/alert</location>
</localfile>
-->
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/error_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/access_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/etc/httpd/logs/access_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/etc/httpd/logs/error_log</location>
</localfile>
</ossec_config>
<ossec_config> <!-- rules global entry -->
<rules>
<include>rules_config.xml</include>
<include>user_defined.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>web_rules.xml</include>
<include>apache_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>attack_rules.xml</include>
</rules>
</ossec_config> <!-- rules global entry -->
smime.p7s
Description: S/MIME Cryptographic Signature
