Hi Daniel, first of all we tried the server-location "local" and attack the agent again, the connection between the server and the attacker was disconnected but the connection between the attacker and the agent-server still works fine!
We understand the location local, but it doesn't work at our side. And we reinstalled the agent and the server. But it doesn't fixed our problem. The server recognized that attack from the IP 192.168.7.56 in the file /var/ossec/logs/active-response.log: Tue Jun 10 08:11:26 CEST 2008 /var/ossec/active-response/bin/firewall-drop.sh add - 192.168.7.56 1213078286.11069 31101 But on the agent-side the same file doesn't exists! The Web-Interface also show us the possible attack (after the timeout is expired): 2008 Jun 10 08:10:31 Rule Id: 5710 level: 5 Location: (agent) 192.168.7.219->/var/log/auth.log Src IP: 192.168.7.56 Attempt to login using a non-existent user Jun 10 08:10:31 agent sshd[2255]: Failed password for invalid user test from 192.168.7.56 port 1208 ssh2 We changed the location-entry back to: defined-agent and restart the server again. The secure connection between server and agent seems to work! The logfiles on the server and the agent have no errors that shows problems in the communication. Server-Side: OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 002 The syscheck on the agent starts one or two minutes later. Hm, where is the problem? Exists there still a problem between SLES and Debian? Thanks for your help. > Hi Joachim, > > Your configuration seems fine, so it should be working. Can you show > us the alert that > you expected the active response to run (from > /var/ossec/logs/alerts.log )? Also, can > you show the file /var/ossec/logs/active-response.log from the agent? > > *Note that the timeout is set to 300 seconds, so after 5 minutes, the > entry will be removed from the agent's firewall. > > **You said that when you changed to "local" and attacked the agent, > that the server blocked your > access. Are you sure about that? When you set to "local", ossec will > block in the agent that > reported the alert. > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Mon, Jun 9, 2008 at 3:14 AM, Joachim Krais > <[EMAIL PROTECTED]> wrote: >> >> Hello together, >> >> we use OSSEC as server/agent on SLES9 (OSSEC-server) and Debian Servers >> (OSSEC-agent). We want to react on unautherized access/connections at >> the agent side. The secure connection between the agent and the server >> is established. The agent sends data to the server. The server and the >> agent are correct installed as server and agent. >> >> We have the problem, that the agent or the server doesn't react by >> active response. >> In the OSSEC-logfile on the agent-side we can't find any recognition. >> If we change the location in the server-configuration to local and we >> attack the agent, the server locks our connections for the configured >> time but the agent doesn't react! >> >> We use OSSEC Version 1.5. >> Where is the problem? >> Here is the server-configuration: >> >> <command> >> <name>firewall-drop</name> >> <executable>firewall-drop.sh</executable> >> <expect>srcip</expect> >> <timeout_allowed>yes</timeout_allowed> >> </command> >> >> >> <!-- We act on this IDs: >> 11251-53: proftp >> 11451,52: vsftp >> 5701,5703,5705,5710,5712,5719,5720: ssh >> 30114: apache >> 31151-54,31161: webrules >> 5631: telnet >> 5551: pam >> 40601: attack >> --> >> >> >> <active-response> >> <command>firewall-drop</command> >> <location>defined-agent</location> >> <agent_id>002</agent_id> >> <rules_id>5701,5703,5705,5710,5712,5719,5720,40601</rules_id> >> <timeout>300</timeout> >> </active-response> >> >> >> Could anybody help us? >> Thanks a lot. >> >> Joachim Krais >> -- Mit freundlichen Grüßen Joachim Krais Deutsche Telekom AG Zentrum Technik Netzmanagement Joachim Krais, Dipl.Ing.(FH) Systemingenieur NIP1 Central Servers Olgastr. 67, 89073 Ulm +49 731 100-84416 (Tel.) +49 731 100-84066 (Fax) +49 171 3027783 (Mobil) E-Mail: [EMAIL PROTECTED] http://www.telekom.com Deutsche Telekom AG Aufsichtsrat: Dr. Klaus G. Schlede (Vorsitzender) Vorstand: René Obermann (Vorsitzender) Dr. Karl-Gerhard Eick (stellvertretender Vorsitzender) Hamid Akhavan, Reinhard Clemens, Timotheus Höttges, Thomas Sattelberger Handelsregister: Amtsgericht Bonn HRB 6794 Sitz der Gesellschaft: Bonn WEEE-Reg.-Nr.: DE50478376
