[ossec-list] iptables firewall issues

Tue, 12 Jun 2007 06:07:49 -0700 

First, I just want to say this is a great program, and would be perfect if I
could figure out what I am doing wrong regarding ossec monitoring, logging,
and reacting to iptables firewall entries.

I would like to have ossec block ips based on multiple drops(nothing outside
of what is in firewall_rules.xml); however, it doesn't seem to be working
properly. I changed the rule to look like the following:

  <rule id="4151" level="10" frequency="5" timeframe="120" ignore="240">

only changed line included... Basically, just made it more sensitive.

I have firewall drops going to messages and ossec is monitoring syslog with
the following in ossec.conf:

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

Active response is setup like the following:

  <!-- Active Response Config -->
  <active-response>
    <!-- This response is going to execute the host-deny
       - command for every event that fires a rule with
       - level (severity) >= 6.
       - The IP is going to be blocked for  600 seconds.
      -->
    <command>host-deny</command>
    <location>local</location>
    <level>6</level>
    <timeout>1200</timeout>
  </active-response>

  <active-response>
    <!-- Firewall Drop response. Block the IP for
       - 600 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
    <command>firewall-drop</command>
    <location>local</location>
    <level>6</level>
    <timeout>1200</timeout>
  </active-response>



Iptables is setup to write to messages with the following format:

Jun  9 15:37:27 host kernel: [608615.235372] Drop off input chain: IN=ppp0
OUT= MAC= SRC=<someip> DST=<someip> LEN=40 TOS=0x00 PREC=0x00 TTL=47
ID=53574 DF PROTO=TCP SPT=11018 DPT=48265 WINDOW=0 RES=0x00 RST URGP=0

In the case of the snippet above, there are about 30 of these within a
minute, same src and dst.

Now, based on my understanding ossec should be writing these to the
ossec/logs/firewall/firewall.log and then envoking active response to enter
an entry into iptables and hosts.deny. None of these things are happening.

I hope that this all makes sense, and that someone on the list can provide
some assistance.

Thanks!

Reply via email to