Hi David, I have found a SERIOUS bug in the active response script for the Mac.
The rules were added and deleted correctly, but they are added at the END of the list!! Therefore any previous rule will override the block. For example: if you have a rule that allows FTP, and ossec blocks multiple login failures they will never be blocked because the first rule allows FTP. I am including a modified script. What I do now is the following: By default Mac OS Server has a few rules around ID 10 (for NAT and such), and then starts adding the rest of the rules at ID 1000 In the new script active responses are added from ID 666 on, incrementing the ID on each case. Hope this helps, Charles
ipfw_mac.sh
Description: Binary data
On Aug 5, 2008, at 21:05 , Daniel Cid wrote: > > Hi Charles, > > I just added support for it and is available on the following > snapshot: > http://www.ossec.net/files/snapshots/ossec-hids-080805.tar.gz > > If you can give it it a try, let us know how it worked. > > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > > On Fri, Jul 4, 2008 at 4:41 AM, kef_list <[EMAIL PROTECTED]> wrote: >> >> Daniel, >> >> Great! >> >> Here are a few sample log entries (from /var/log/secure.log): >> >> Jun 20 09:00:42 File-Server ftpd[65613]: Failed authentication from: >> [U2FsdGVkX18af1PrJ6KSUhskC8ikccfvTqyjjJI/qtk=] @ 58.211.16.202 >> [58.211.16.202] >> Jun 20 09:00:52 File-Server ftpd[65625]: Failed authentication from: >> [U2FsdGVkX1+RbLXPa7lV2Ly9a3Bir9x88RdjF2oWkg4=] @ 58.211.16.202 >> [58.211.16.202] >> Jun 20 09:01:02 File-Server ftpd[65639]: Failed authentication from: >> [U2FsdGVkX18V16WdD4Z7rcx6tv0zBiUG6bok2Y3IQGQ=] @ 58.211.16.202 >> [58.211.16.202] >> Jun 25 10:24:06 File-Server ftpd[29807]: Failed authentication from: >> 1.Red-88-2-137.staticIP.rima-tde.net [88.2.137.1] >> Jun 25 10:24:25: --- last message repeated 1 time --- >> Jun 25 10:24:25 File-Server ftpd[29871]: Failed authentication from: >> 1.Red-88-2-137.staticIP.rima-tde.net [88.2.137.1] >> >> >> >> Oher times malformated attacks are like this: >> >> >> Jul 4 02:11:44 File-Server ftpd[54844]: FTP LOGIN REFUSED (PASS >> before >> USER) FROM 202.113.244.42 [202.113.244.42] >> >> >> >> Thanks! >> Charles >> >> On Jun 24, 2008, at 20:02 , Daniel Cid wrote: >> >>> >>> Hi Charles, >>> >>> We currently do not support ftpd log from Mac OS. If you can >>> provide a >>> few log samples to us (from a sucessful >>> connection, failed password, invalid user trying to FTP, etc), we >>> can >>> easily create some decoders/rules for it. >>> >>> Thanks, >>> >>> -- >>> Daniel B. Cid >>> dcid ( at ) ossec.net >>> >>> On Sat, Jun 21, 2008 at 6:37 AM, kef_list <[EMAIL PROTECTED]> >>> wrote: >>>> >>>> Hi Guys, >>>> >>>> I am having a problem with ossec 1.4 under Mac OS X Server 10.5 >>>> >>>> The ftpd logs are not interpreted correctly and the IP address is >>>> not >>>> read, so the active response is never triggered. >>>> >>>> Bellow are two sample alert logs: >>>> >>>> >>>> ** Alert 1213947151.801450: mail - syslog,errors, >>>> 2008 Jun 20 09:32:31 File-Server->/var/log/system.log >>>> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' >>>> Src IP: (none) >>>> User: (none) >>>> Jun 20 09:32:30 File-Server ftpd[68281]: FTP LOGIN REFUSED (PASS >>>> before USER) FROM 58.211.16.202 [58.211.16.202] >>>> >>>> >>>> >>>> ** Alert 1213947135.800831: mail - >>>> syslog,access_control,authentication_failed, >>>> 2008 Jun 20 09:32:15 File-Server->/var/log/system.log >>>> Rule: 2502 (level 10) -> 'User missed the password more than one >>>> time' >>>> Src IP: (none) >>>> User: (none) >>>> Jun 20 09:32:13 File-Server ftpd[68268]: repeated login failures >>>> from >>>> 58.211.16.202 [58.211.16.202] >>>> >>>> >>>> In both cases the "Src IP" is read as "none" so my firewall is >>>> never >>>> activated... >>>> >>>> >>>> >>>> Does anyone know how to fix this? >>>> >>>> Thanks, >>>> Charles >>>> >>>> >> >> ____________________________________________________ >> Institut Balear de Comunicacions, S.L. >> Gremio Tejedores 22, 1 >> 07009 Palma de Mallorca, Spain >> Tel: +34 971.45.90.99 | Mobile: +34 607.87.12.77 >> Fax: +34 971.43.08.18 | E-mail: [EMAIL PROTECTED] >> URL: http://www.ibacom.es/ >> ____________________________________________________ >> >> La legislación española ampara el secreto de las comunicaciones. Este >> correo electrónico es estrictamente confidencial y va dirigido >> exclusivamente a su destinatario/a. Si no es Ud., le rogamos que no >> difunda ni copie la transmisión y nos lo notifique cuanto antes. >> -------- >> Spanish law guarantees privacy in electronic communications. This >> electronic transmission is strictly confidential and intended solely >> for the addressee. If you are not the intended addressee, you are >> kindly requested not to disclose nor to copy this transmission and to >> notify us as soon as possible. >> >> >> >> >> ____________________________________________________ Institut Balear de Comunicacions, S.L. Gremio Tejedores 22, 1 07009 Palma de Mallorca, Spain Tel: +34 971.45.90.99 | Mobile: +34 607.87.12.77 Fax: +34 971.43.08.18 | E-mail: [EMAIL PROTECTED] URL: http://www.ibacom.es/ ____________________________________________________ La legislación española ampara el secreto de las comunicaciones. Este correo electrónico es estrictamente confidencial y va dirigido exclusivamente a su destinatario/a. Si no es Ud., le rogamos que no difunda ni copie la transmisión y nos lo notifique cuanto antes. -------- Spanish law guarantees privacy in electronic communications. This electronic transmission is strictly confidential and intended solely for the addressee. If you are not the intended addressee, you are kindly requested not to disclose nor to copy this transmission and to notify us as soon as possible.
