Hey Brian, Yes, you can have different active-response for different rule sets. To do this use <rules_id> or <rules_group> instead of <level> in your active-response configs:
<rules_id>Comma separated list of rules id (0-9)</rules_id> <rules_group>Comma separated list of groups (A-Za-z0-9)</rules_group> cheers, cnk On Wed, Feb 18, 2009 at 6:30 PM, Brian Torbich <[email protected]> wrote: > > cnk, > > I did some more research and what I am going to have to do is just specify a > separate log file for the BIND messages. And then point OSSEC to that log > file for named in ossec.conf. I am having all of it spill into > /var/log/messages and that is confusing things right now and causing the > wrong rules to trigger. > > Now, the question I s with active-response. In ossec.conf you can specify > the time you want the IP bans to last, as shown below. But I would like > different times for different rule sets. > > For example, I want the active-response 'web' IP bans to last for 600 seconds > and I want the 'named' bans to last for 36 hours. > > Is it possible for me to do this? Can I set different active-response > <timeout> settings for different rule sets? > > > </active-response> > > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>local</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > > Thanks, > > ================================ > Brian Torbich > Voice Marketing, Inc. > http://www.voicemarketing.net > Cell Phone: 412-398-8234 > ================================ > > ----- Original Message ----- > From: "cnk" <[email protected]> > To: [email protected] > Sent: Tuesday, February 17, 2009 10:50:45 AM GMT -05:00 US/Canada Eastern > Subject: [ossec-list] Re: active-response rules for blocking multiple BIND > Query cache denied events > > > Hey Brian, > > Can you share some sample log files so we can take a look at the > decoder and rules? > > cheers, > > cnk > > On Mon, Feb 16, 2009 at 3:30 PM, Brian Torbich > <[email protected]> wrote: >> >> Due to the heightened level of BIND DNS attacks lately, I am getting >> thousands upon thousands of 'query (cache) denied' notice messages from >> BIND. Even though there is a rule in named_rules.xml for this type of >> event, it is actually being picked up under rule set syslog_rules.xml as an >> "Unknown problem somewhere in the system". >> >> My questions is, how can I trouble shoot this so that it is not picked up by >> the wrong rule set? Is there a way to set authority or priority in the rule >> sets? Also, how can I modify the existing rule #12108 in named_rules.xml to >> use active-response and block the IP address after so many triggers? I am >> looking at some of the pure-ftpd_rules.xml and can get a general idea of >> what to do from there. I am thinking I could just copy the format of the >> FTP Brute Force attack rule. >> >> Thanks in advance for any help you can offer. >> >> >> Regards, >> >> ================================ >> Brian Torbich >> Voice Marketing, Inc. >> http://www.voicemarketing.net >> Cell Phone: 412-398-8234 >> ================================ >> >
