Daniel, Excellent, I had a suspicion that it was something like that. Thanks for the response!
-Joel -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Cid Sent: Thursday, September 21, 2006 12:08 PM To: [email protected] Subject: [ossec-list] Re: Active Response not working... Hi Joel, I tought I had replied to you already, but looks like I didn't. If you look at your logs you will see some messages about "invalid username '?'". The problem is that ossec validates the username/srcip before sending to the active response scripts and it was considering the user "?" as invalid. I made some changes to fix it and it is available in the 0.9-2 beta version (and it will be in the final 0.9-2). http://www.ossec.net/files/snapshots/ Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/16/06, Joel Gray <[EMAIL PROTECTED]> wrote: > > Hi all, > > I've recently had a series of attacks that cause the appropriate alert > level 10 to fire, however on the client they come from the active > response is not running the firewall-drop script. It does work for > most of the ssh attacks that come in adding the iptables rule and 600 > seconds later removing it. > > The only thing that I've noticed that is different is that the host is > reported as [EMAIL PROTECTED] instead of a username. I ran the firewall-drop > script and enclosed the ? with single quotes '?' and it added my > iptables rule just fine. I do not know if that has anything to do > with it or not, but I wanted to let you know just in case. > > Here is the alert. > > OSSEC HIDS Notification. > 2006 Sep 16 07:42:06 > > Received From: (xxxxx) x.x.x.x.->/var/log/messages > Rule: 11306 fired (level 10) -> "FTP brute force (multiple failed > logins)." > Portion of the log(s): > > pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user > [Administrator] > pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user > [Administrator] > pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user > [Administrator] > pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user > [Administrator] > pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user > [Administrator] > pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user > [Administrator] > pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user > [Administrator] > > > > --END OF NOTIFICATION > > > > - Joel >
