Here is the listings fom the active responses.log
Thu Oct 12 11:35:00 MDT 2006 /var/ossec/active-response/bin/host-
deny.sh add - -
Thu Oct 12 11:51:08 MDT 2006 /var/ossec/active-response/bin/host-
deny.sh delete - -
Thu Oct 12 16:44:50 MDT 2006 /var/ossec/active-response/bin/host-
deny.sh add - -
Thu Oct 12 16:55:54 MDT 2006 /var/ossec/active-response/bin/host-
deny.sh delete - -
Thu Oct 12 20:49:07 MDT 2006 /var/ossec/active-response/bin/host-
deny.sh add - -
Mon Oct 16 15:17:45 MDT 2006 /var/ossec/active-response/bin/host-
deny.sh delete - -
######
Config
######
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>web_rules.xml</include>
<include>apache_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>racoon_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>attack_rules.xml</include>
<include>local_rules.xml</include>
<include>ossec_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that syscheck is executed - default every 2 hours
-->
<frequency>3600</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution/DataStore</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution/ReportingEvents.log</
ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config/systemprofile/Local Settings</
ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</
rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</
rootkit_trojans>
</rootcheck>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>scrip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 10.
- The IP is going to be blocked for 30 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>10</level>
<timeout>86400</timeout>
</active-response>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
</ossec_config>
On Oct 18, 2006, at 4:34 PM, Daniel Cid wrote:
>
> Hi Leif,
>
> If you are seeing the file being touched, it is because ossec is
> acessing it.
> However, by default, ossec will remove the block after 10 minutes. You
> mentioned you change the timeout to 24 hours, can you show us your
> ossec.conf file? In addition to that, ossec logs all responses at
> /var/ossec/active-response/ossec-hids-responses.log . Do you see
> any entry in there? Is there anything at /var/ossec/logs/ossec.log
> that indicates an error ?
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 10/18/06, Leif Kennedy <[EMAIL PROTECTED]> wrote:
>>
>> Hello,
>> I have have version 0.9.2 of Ossec and am having issues with address
>> not being added to hosts.deny when an active response is triggered.
>> I have the active respnse setup to fire the host.deny command at
>> level 10
>> I am seeing the /etc/hosts.deny file being touched at that time but
>> no entries are being added.
>> I have the timeout set for 24 hrs
>> Any help would be appreciated
>> Received From: *->/var/log/secure
>> Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access
>> to the system."
>> Portion of the log(s):
>>
>> sshd[17033]: Failed password for invalid user admin from ::ffff:
>> 82.77.140.41 port 62783 ssh2
>> sshd[17033]: Invalid user admin from ::ffff:82.77.140.41
>> sshd[17031]: Failed password for invalid user fluffy from ::ffff:
>> 82.77.140.41 port 62619 ssh2
>> sshd[17031]: Invalid user fluffy from ::ffff:82.77.140.41
>> sshd[17029]: Failed password for invalid user slasher from ::ffff:
>> 82.77.140.41 port 62485 ssh2
>> sshd[17029]: Invalid user slasher from ::ffff:82.77.140.41
>> sshd[17025]: Failed password for invalid user sifak from ::ffff:
>> 82.77.140.41 port 62357 ssh2
>>
>>
