The end result of this is that I start getting flooded with RBL reject
messages (the types I don't want to see, unless they happen 3+ times
per same_source_ip.
I got attacked again this morning by botnets (Connection rate throttle
/ sendmail) and OSSEC didn't trip it to the firewall.
Okay, first, here is the complete ruleset of my active response
configuration:
<!-- Active Response Config -->
<active-response>
<!--
This response is going to execute the host-deny
-
command for every event that fires a rule with
- level
(severity) >= 6.
- The IP
is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!--
Firewall Drop response. Block the IP for
- 600
seconds on the firewall (iptables,
-
ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<!-- Local
configuration -->
<active-response>
<command>firewall-drop</command>
<!--
<location>all</location> ?? -->
<location>defined-agent</location>
<agent_id>001</agent_id>
<!-- Is
"level" necessary here? -->
<level>12</level>
<timeout>7200</timeout>
</active-response>
There may be a problem in that which I've not figured out.
Here are the rules in my local_config.xml file:
<!--
Local Rules -->
<!-- 100000 - 109999 User defined rules -->
<!--
Notes:
Rule 3101/sendmail_rules.xml
reject=550 5.0.0 | reject=553 5.3.0
-->
<group name="local">
<rule id="100099" level="4">
<match>reject=421 4.3.2</match>
<description>421 reject code</description>
</rule>
<!-- This must match our custom string in /etc/mail/access -->
<rule id="100100" level="4">
<if_sid>3103</if_sid>
<match>Rejected due to abuse</match>
<description>E-mail blocked due to abuse</description>
</rule>
<!-- This must match the RBL string from /etc/mail/sendmail.mc -->
<rule id="100101" level="4">
<if_sid>3103</if_sid>
<match>blocked - see</match>
<description>Email blocked due to RBL</description>
</rule>
<!-- Trap the spam/flood bots
Specify frequency="1" here, since the trigger is a response
from Sendmail's throttle config
-->
<rule id="100102" level="12" frequency="1" timeframe="120">
<if_sid>100099</if_sid>
<match>Connection rate limit exceeded</match>
<same_source_ip />
<description>Sendmail connection rate throttle
trap</description>
</rule>
<rule id="100103" level="12" frequency="3" timeframe="120">
<if_sid>100101</if_sid>
<match>blocked - see</match>
<same_source_ip />
<description>Email RBL block; multiple
times</description>
</rule>
<!-- This must match our custom string in /etc/mail/access -->
<rule id="100104" level="12" frequency="3" timeframe="120">
<if_sid>3103</if_sid>
<match>Rejected due to abuse</match>
<same_source_ip />
<description>Email access list block; multiple
times</description>
</rule>
</group>
You lost me on the <if_sid> part, especially where I see this as
a hierchical relationship... so in the rules, if I say:
<rule id="12343454" level="12" frequency="3">
<if_sid>12345</if_sid>
<match>some string</match>
<same_source_ip />
</rule>
To me that says:
rule 12343454
if rule 12345 was triggered
check for a match of "some string" and if TRUE
and it's matched 3 times
and if it's the same_source_ip
<do whatever and tell OSSEC and this is where the
active-response would see>
something like that.
>From your reply that doesn't seem to be the case... please explain?
I've been over the docs, but it still doesn't make sense to me.
The basic notifications of "rejected by rbl" I only want to see (and
have acted upon) if they occur more than X times and from the
same_source_ip -- otherwise, there's little point in seeing them ;-)
Thanks for your patience...
Forrest
|
