[ossec-list] active-response still not working...

Mon, 18 Sep 2006 19:54:58 -0700

I got slammed tonight by this connection, which amounted to 1000's of entries. 

Sep 18 22:22:20 mail sm-mta[42966]: ruleset=check_relay, arg1=[125.131.7.212], arg2=127.0.0.2, relay=[125.131.7.212], reject=553 5.3.0 Message from 125.131.7.212 blocked - see http://www.heise.de/ix/nixspam/dnsbl_en/
Sep 18 22:22:50 mail sm-mta[42967]: ruleset=check_relay, arg1=[125.131.7.212], arg2=127.0.0.2, relay=[125.131.7.212], reject=553 5.3.0 Message from 125.131.7.212 blocked - see http://www.heise.de/ix/nixspam/dnsbl_en/
Sep 18 22:23:20 mail sm-mta[42968]: ruleset=check_relay, arg1=[125.131.7.212], arg2=127.0.0.2, relay=[125.131.7.212], reject=553 5.3.0 Message from 125.131.7.212 blocked - see http://www.heise.de/ix/nixspam/dnsbl_en/

The active-response *should* have caught this, but it did not, and I'm still puzzled as to why.

I have these rules:

/var/ossec/etc/ossec.conf:

       [ snip ]
         <!-- Active Response Config -->
         <active-response>
           <!-- This response is going to execute the host-deny
              - command for every event that fires a rule with
              - level (severity) >= 6.
              - The IP is going to be blocked for  600 seconds.
             -->
           <command>host-deny</command>
           <location>local</location>
           <level>6</level>
           <timeout>600</timeout>
         </active-response>

         <active-response>
           <!-- Firewall Drop response. Block the IP for
              - 600 seconds on the firewall (iptables,
              - ipfilter, etc).
             -->
           <command>firewall-drop</command>
           <location>local</location>
           <level>6</level>
           <timeout>600</timeout>
         </active-response>


The rules from /var/ossec/rules/local_rules.xml:


<rule id="100103" level="12" frequency="3" timeframe="120">
    <if_sid>3103</if_sid>
    <match>blocked - see</match>
    <same_source_ip />
    <description>Email RBL block; multiple times</description>
</rule>

       <rule id="100099" level="4">
        <match>reject=421 4.3.2</match>
        <description>421 reject code</description>
       </rule>

       <rule id="100102" level="12" frequency="1" timeframe="120">
           <if_sid>100099</if_sid>
           <match>Connection rate limit exceeded</match>
           <same_source_ip />
           <description>Sendmail connection rate throttle
       trap</description>
       </rule>

Now I would *think* the first one would stop this right away.

Maybe I have levels incorrect?

I see this several times in the alerts.log:

** Alert 1158630994.64347:
2006 Sep 18 21:56:34 mail->/var/log/messages
Rule: 100101 (level 4) -> 'Email blocked due to RBL'
Src IP: 125.131.7.212
User: (none)
sm-mta[42822]: ruleset=check_relay, arg1=[125.131.7.212], arg2=127.0.0.2, relay=[125.131.7.212], reject=553 5.3.0 Message from 125.131.7.212 blocked - see http://www.heise.de/ix/nixspam/dnsbl_en/
In another incident, the Connection Rate Throttle isn't being upped to the right level:

** Alert 1158563267.12801:
2006 Sep 18 03:07:47 mail->/var/log/messages
Rule: 3107 (level 4) -> 'Sendmail rejected message.'
Src IP: 24.109.128.18
User: (none)
sm-mta[12791]: ruleset=check_relay, arg1=S0106000f3d3aea3d.tb.shawcable.net, arg2=24.109.128.18, relay=S0106000f3d3aea3d.tb.shawcable.net [24.109.128.18], reject=421 4.3.2 Connection rate limit exceeded.

Now my rule above is supposed to trigger a firewall block after 3 times of this.

Can someone help me figure out what's wrong.  It may be my misundertanding of the levels config.


Thanks!

Forrest




Reply via email to