[ossec-list] Problem with active-response and rules

Tue, 04 Nov 2008 13:04:39 -0800 


Hello,

I have a rule set up in local_rules.xml to monitor a snort log on the 
ossec server.  When the rule is triggered it is supposed to generate an 
active response on 2 clients (002 and 003), at least, that is what I would 
like it to do.  The rule is being triggered and shows up in the alert.log, 
but the active response is not generated on the clients.  I'm using 
ossec-hids v1.6.1. Below is the pertinent info (also, any suggestions for 
better rule writing on my part is appreciated).  Is this set up properly 
to generate the active-response on the clients?

local_rules.xml:

<group name="ids,">

        <rule id="100015" level="10">
                <if_sid>20101</if_sid>
                <decoded_as>snort</decoded_as>
                <id>1:2002|1:2301</id>
                <description>Watched snort ids</description>
        </rule>

        <rule id="100016" level="12">
                <if_sid>100015</if_sid>
                <match>192.168.20.3|192.168.20.4</match>
                <description>Snort rule WEB-PHP remote include path 
violated on alana or chp090</description>
        </rule>
</group>

My ossec.conf on the server is configured for active-response for the 
clients for rule 100016 as follows (Rule 100017 is another rule in 
local_rules.xml that works properly.):

   <active-response>
        <disabled>no</disabled>
        <command>firewall-drop</command>
        <location>defined-agent</location>
        <agent_id>002</agent_id>
        <rules_id>100016,100017</rules_id>
        <timeout>600</timeout>
   </active-response>

   <active-response>
        <disabled>no</disabled>
        <command>firewall-drop</command>
        <location>defined-agent</location>
        <agent_id>003</agent_id>
        <rules_id>100016,100017</rules_id>
        <timeout>600</timeout>
   </active-response>


The alert is being triggered as is evident by the ossec server 
'alert.log', hostname 'packet':

** Alert 1225715361.7132365: mail  - ids,
2008 Nov 03 06:29:21 packet->/var/log/snort/alert
Rule: 100016 (level 12) -> 'Snort rule WEB-PHP remote include path 
violated on alana or chp090'
Src IP: 208.83.106.201
User: (none)
[**] [1:2002:8] WEB-PHP remote include path [**][Classification: Web 
Application Attack] [Priority: 1] 208.83.106.201:54921 -> 192.168.20.4:80


Thanks for any help,

Greg Noelken
Washington University in St. Louis
Chemistry Department

Reply via email to