Hi, OSSEC doesn't have its own firewall, so it uses whatever the system has available (iptables for Linux, pf for OpenBSD, etc).
Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Feb 29, 2008 at 10:29 AM, <[EMAIL PROTECTED]> wrote: > > Daniel, > I just checked the iptables services is stopped in the server. > Can we use any other firewall or we need to go with iptables only for ossec > to work? > Doesn't ossec has inbuild firewall? > > Thanks > > ----- Original Message ----- > From: "Daniel Cid" <[EMAIL PROTECTED]> > To: <[email protected]> > > > Sent: Friday, February 29, 2008 5:08 PM > Subject: [ossec-list] Re: Active response not working > > > > > > Hi DM, > > > > From your logs, it seems that active response is working: > > > > Sat Feb 23 04:15:12 EST 2008 > > /var/ossec/active-response/bin/host-deny.sh add - 62.43.206.19 > > 1203758112.12758 5712 > > Sat Feb 23 04:15:12 EST 2008 > > /var/ossec/active-response/bin/firewall-drop.sh add - 62.43.206.19 > > 1203758112.12758 5712 > > > > However, by default, ossec removes the entries from iptables after 10 > > minutes... > > That' s why you are probably not seeing them (increase "timeout" > > option if you want > > it to be longer). > > > > Thanks, > > > > -- > > Daniel B. Cid > > dcid ( at ) ossec.net > > > > > > > > On Tue, Feb 26, 2008 at 12:10 AM, <[EMAIL PROTECTED]> wrote: > >> > >> Hello Daniel, > >> I am running ossec as "local" > >> Below are the output of the log files you asked for > >> > >> > >> > >> cat /var/ossec/logs/active-responses.log > >> > >> Fri Feb 22 13:14:13 EST 2008 /var/ossec/active-response/bin/host-deny.sh > >> delete - 59.108.98.1 1203703424.22785 5706 > >> Fri Feb 22 13:14:13 EST 2008 > >> /var/ossec/active-response/bin/firewall-drop.sh > >> delete - 59.108.98.1 1203703424.22785 5706 > >> Sat Feb 23 01:27:16 EST 2008 /var/ossec/active-response/bin/host-deny.sh > >> add - 60.190.240.70 1203748036.289 5706 > >> Sat Feb 23 01:27:16 EST 2008 > >> /var/ossec/active-response/bin/firewall-drop.sh > >> add - 60.190.240.70 1203748036.289 5706 > >> Sat Feb 23 01:37:46 EST 2008 /var/ossec/active-response/bin/host-deny.sh > >> delete - 60.190.240.70 1203748036.289 5706 > >> Sat Feb 23 01:37:46 EST 2008 > >> /var/ossec/active-response/bin/firewall-drop.sh > >> del ete - 60.190.240.70 1203748036.289 5706 > >> Sat Feb 23 03:14:59 EST 2008 > >> /var/ossec/active-response/bin/firewall-drop.sh > >> add - 62.43.206.19 1203754499.6039 5706 > >> Sat Feb 23 03:14:59 EST 2008 /var/ossec/active-response/bin/host-deny.sh > >> add - 62.43.206.19 1203754499.6039 5706 > >> Sat Feb 23 03:25:29 EST 2008 /var/ossec/active-response/bin/host-deny.sh > >> delete - 62.43.206.19 1203754499.6039 5706 > >> Sat Feb 23 03:25:29 EST 2008 > >> /var/ossec/active-response/bin/firewall-drop.sh > >> delete - 62.43.206.19 1203754499.6039 5706 > >> Sat Feb 23 04:15:12 EST 2008 /var/ossec/active-response/bin/host-deny.sh > >> add - 62.43.206.19 1203758112.12758 5712 > >> Sat Feb 23 04:15:12 EST 2008 > >> /var/ossec/active-response/bin/firewall-drop.sh > >> add - 62.43.206.19 1203758112.12758 5712 > >> Sat Feb 23 04:25:41 EST 2008 /var/ossec/active-response/bin/host-deny.sh > >> delete - 62.43.206.19 1203758112.12758 5712 > >> Sat Feb 23 04:25:41 EST 2008 > >> /var/ossec/active-response/bin/firewall-drop.sh > >> delete - 62.43.206.19 1203758112.12758 5712 > >> > >> > >> > >> > >> > >> > >> cat /var/ossec/logs/ossec.log > >> > >> 2008/02/22 05:13:38 ossec-analysisd: Ignoring file: > >> 'C:\WINDOWS/system32/CatRoot' > >> 2008/02/22 05:13:38 ossec-analysisd: White listing IP: '127.0.0.1' > >> 2008/02/22 05:13:38 ossec-analysisd: White listing IP: '216.52.190.1' > >> 2008/02/22 05:13:38 ossec-analysisd: White listing IP: '216.52.190.33' > >> 2008/02/22 05:13:38 ossec-analysisd: 3 IPs in the white list for active > >> response. > >> 2008/02/22 05:13:38 ossec-analysisd: White listing Hostname: > >> 'localhost.localdomain' > >> 2008/02/22 05:13:38 ossec-analysisd: 1 Hostname(s) in the white list for > >> active response. > >> 2008/02/22 05:13:38 ossec-analysisd: Started (pid: 14899). > >> 2008/02/22 05:13:38 ossec-monitord: Started (pid: 14916). > >> 2008/02/22 05:13:40 ossec-syscheckd: Started (pid: 14910). > >> 2008/02/22 05:13:40 ossec-rootcheck: Started (pid: 14910). > >> 2008/02/22 05:13:41 ossec-analysisd: Connected to '/queue/alerts/execq' > >> (exec queue) > >> 2008/02/22 05:13:44 ossec-logcollector(1950): Analyzing file: > >> '/var/log/messages'. > >> 2008/02/22 05:13:44 ossec-logcollector(1950): Analyzing file: > >> '/var/log/secure'. > >> 2008/02/22 05:13:44 ossec-logcollector(1950): Analyzing file: > >> '/var/log/maillog'. > >> 2008/02/22 05:13:44 ossec-logcollector(1950): Analyzing file: > >> '/var/log/httpd/error_log'. > >> 2008/02/22 05:13:44 ossec-logcollector(1950): Analyzing file: > >> '/var/log/httpd/access_log'. > >> 2008/02/22 05:13:44 ossec-logcollector(1950): Analyzing file: > >> '/etc/httpd/logs/access_log'. > >> 2008/02/22 05:13:44 ossec-logcollector(1950): Analyzing file: > >> '/etc/httpd/logs/error_log'. > >> 2008/02/22 05:13:44 ossec-logcollector: Started (pid: 14904). > >> 2008/02/25 07:49:25 ossec-monitord(1225): SIGNAL Received. Exit > >> Cleaning... > >> 2008/02/25 07:49:25 ossec-logcollector(1225): SIGNAL Received. Exit > >> Cleaning... > >> 2008/02/25 07:49:25 ossec-syscheckd(1225): SIGNAL Received. Exit > >> Cleaning... > >> 2008/02/25 07:49:25 ossec-analysisd(1225): SIGNAL Received. Exit > >> Cleaning... > >> 2008/02/25 07:49:25 ossec-maild(1225): SIGNAL Received. Exit Cleaning... > >> 2008/02/25 07:49:25 ossec-execd(1314): Shutdown received. Deleting > >> responses. > >> 2008/02/25 07:49:25 ossec-execd(1225): SIGNAL Received. Exit Cleaning.. > >> > >> > >> > >> > >> > >> cat /var/ossec/logs/alerts/alerts.log > >> > >> > >> ** Alert 1203926194.1002: mail - ossec,syscheck, > >> 2008 Feb 25 02:56:34 localhost->syscheck > >> Rule: 552 (level 7) -> 'Integrity checksum changed again (3rd time).' > >> Src IP: (none) > >> User: (none) > >> Integrity checksum changed for: '/etc/sysconfig/vz-scripts/150.conf' > >> Size changed from '2148' to '2145' > >> Old md5sum was: 'ebc7d002c613cd384a4e220890c1ced9' > >> New md5sum is : 'c477e0f6976810d2634915870a1761d6' > >> Old sha1sum was: 'a8f5d2ba2ec6703b01ff096b6db62e026330ac6e' > >> New sha1sum is : '6f1e1794a41414f6760049359e266906902cfe91' > >> > >> > >> ** Alert 1203931298.1519: - syslog,sshd, > >> 2008 Feb 25 04:21:38 localhost->/var/log/secure > >> Rule: 5702 (level 5) -> 'Reverse lookup error (bad ISP or attack).' > >> Src IP: x.x.x.x > >> User: (none) > >> Feb 25 04:21:38 localhost sshd[22534]: reverse mapping checking > >> getaddrinfo > >> for x.x.x.x failed - POSSIBLE BREAK-IN ATTEMPT! > >> > >> ** Alert 1203931332.1888: - syslog,sshd,authentication_success, > >> 2008 Feb 25 04:22:12 localhost->/var/log/secure > >> Rule: 5715 (level 3) -> 'SSHD authentication success.' > >> Src IP: x.x.x. > >> User: james > >> Feb 25 04:22:10 localhost sshd[22534]: Accepted password for james from > >> x.x.x.x port 1839 ssh2 > >> > >> ** Alert 1203931338.2193: - syslog, su,authentication_success, > >> 2008 Feb 25 04:22:18 localhost->/var/log/secure > >> Rule: 5303 (level 3) -> 'User sucessfully changed UID to root.' > >> Src IP: (none) > >> User: (none) > >> Feb 25 04:22:16 localhost su: pam_unix(su-l:session): session opened for > >> user root by james(uid=504) > >> > >> ** Alert 1203939580.2498: mail - syslog,fts > >> 2008 Feb 25 06:39:40 localhost->/var/log/secure > >> Rule: 10100 (level 4) -> 'First time user logged in.' > >> Src IP: x.x.x.x > >> User: twovm > >> Feb 25 06:39:39 localhost sshd[6301]: Accepted password for twovm from > >> x.x.x.x port 61131 ssh2 > >> > >> Regards, > >> DM > >> > >> > >> > >> ----- Original Message ----- > >> From: "Daniel Cid" <[EMAIL PROTECTED]> > >> To: <[email protected]> > >> Sent: Tuesday, February 26, 2008 5:18 AM > >> Subject: [ossec-list] Re: Active response not working > >> > >> > >> > > >> > Hi DM, > >> > > >> > Can you give us a bit more information? > >> > > >> > -Are you running ossec local (or agent/server type)? > >> > -Show us the content of /var/ossec/logs/active-responses.log (active > >> > responses are logged in there) and from /var/ossec/logs/ossec.log. > >> > -Show us the alert (from /var/ossec/logs/alerts/alerts.log) that was > >> > supposed to > >> > generate a response. > >> > > >> > > >> > I think that should help us understand what is going on... > >> > > >> > > >> > Thanks, > >> > > >> > -- > >> > Daniel B. Cid > >> > dcid ( at ) ossec.net > >> > > >> > > >> > On Sat, Feb 23, 2008 at 10:14 AM, <[EMAIL PROTECTED]> wrote: > >> >> > >> >> Daniel, > >> >> Can you please suggest something? Why active response not working in > >> >> fresh > >> >> ossec install? > >> >> > >> >> Thanks > >> >> Regards, > >> >> DM > >> >> > >> >> > >> > >> > >
