Thank you for your interest, I already posted all the configuration in
a previuos post, anyway, following ther is the last notification
(brute force on ftp server):
Received From: (maia) 192.168.0.11->/var/log/vsftpd.log
Rule: 11451 fired (level 10) -> "FTP brute force (multiple failed
logins)."
Portion of the log(s):
Tue Mar 3 08:57:45 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
Client "221.4.205.132"
Tue Mar 3 08:57:44 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
Client "221.4.205.132"
Tue Mar 3 08:57:43 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
Client "221.4.205.132"
Tue Mar 3 08:57:42 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
Client "221.4.205.132"
Tue Mar 3 08:57:41 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
Client "221.4.205.132"
Tue Mar 3 08:57:40 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
Client "221.4.205.132"
Tue Mar 3 08:57:39 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
Client "221.4.205.132"
I got email alert without problem also for level 12. I have been
checked for log file but there isn't (active-
responses.log). In alerts.log I finded the same email alert. I have 1
ossec server and 4 agent, the alert came from an agent.
Here the active-response part of ossec.conf:
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
I disabled the firewall drop adding the relative tag
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<disabled>yes</disabled>
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
here the directory permission on agent and server:
dr-xr-x--- 3 root ossec 4096 Feb 10 14:58 active-response
dr-xr-x--- 2 root ossec 4096 Feb 10 14:58 bin
dr-xr-x--- 3 root ossec 4096 Feb 18 12:35 etc
drwxr-x--- 2 ossec ossec 4096 Mar 4 09:24 logs
dr-xr-x--- 6 root ossec 4096 Feb 10 14:58 queue
dr-xr-x--- 3 root ossec 4096 Feb 18 12:35 var
/var/ossec/active-response# ls -l
total 4
dr-xr-x--- 2 root ossec 4096 Mar 2 11:25 bin
/var/ossec/active-response/bin# ls -l
total 32
-rwxr-xr-x 1 root ossec 1711 Jan 6 2007 disable-account.sh
-rwxr-xr-x 1 root ossec 3705 Jan 6 2007 firewall-drop.sh
-rwxr-xr-x 1 root ossec 3018 Jun 11 2008 host-deny.sh
-rwxr-xr-x 1 root ossec 1385 Jan 6 2007 ipfw.sh
-rwxr-xr-x 1 root ossec 1617 Jan 6 2007 ipfw_mac.sh
-rwxr-xr-x 1 root ossec 1849 Jun 6 2008 pf.sh
-rwxr-xr-x 1 root ossec 2542 Feb 18 17:08 pix-blacklist.sh
-rwxr-xr-x 1 root ossec 1182 May 24 2008 route-null.sh
I also raised the debug level to 2 in server
# Analysisd (server or local)
analysisd.debug=2
# Unix agentd
agent.debug=2
to have more info but nothing more in alert logs.
I also added my own active response based on rule id rather than
severity level but doesn't work.
<command>
<name>pix-blacklist</name>
<executable>pix-blacklist.sh</executable>
<expect>srcip</expect>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<!-- This response is going to execute the pix-blacklist
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be logged for Pix Blacklist.
-->
<command>pix-blacklist</command>
<location>local</location>
<rules_id>31151,30114,31163,31106</rules_id>
</active-response>
Last, the ossec server is an ubuntu breezy server, the agent that
raise alert is a debian 3.1 server and both run ossec 1.6.1
I hope this info can be helpfull.
Thank you
Luciano
On 3 Mar, 15:55, Damon Getsman <[email protected]> wrote:
> I would suggest posting the version of OSsec that you're using, the rule
> that is specifically being fired @ level 10 (I believe there is more than
> one type of ssh brute force attack if I remember correctly), and then the
> <active-response> portion of your ossec.conf file. Snippets of the log
> itself may help, too.
>
> I know that you specified that you're using the 'defaults', but if you tag
> these pieces of information along in your messages it'll make things easier
> for someone that may know the answer of the top of their head to post a
> response to you. I'm pretty sure most of the people on this mailing list
> don't have the time to sit and research various responses to questions like
> this most of the time; nobody gets paid to respond to the mailing list. :)
>
> HTH.
> ----------
> Damon Getsman
> -=-=-=-
> ITRxhttp://www.itrx-nd.com/
> Programmer/IT Customer Relations/Sys Admin
> -=-=-=-
>
> On Tue, Mar 3, 2009 at 2:23 AM, cianop <[email protected]>wrote:
>
>
>
> > Hey, someone can help me please, I have a lot of brute force attack
> > notificated by OSSEC, and if the active-response doesn't work before
> > or after they go inside. Anyone at Ossec can help me?
>
> [snip]
> On 19 Feb, 16:18, cianop <[email protected]> wrote:> Hi, I had
> an OSSEC notification that say that a rule with level 10 was
> > fired but I didn't see any active-response action. I mean no
> > modification of hosts.* no logs in active-response dir or logs dir.
> > I have the default rules installed and the two default command and
> > related active-response (host-deny
> > and firewall-drop) with the firewall-drop disabled. There is also no
> > error in ossec.log
>
> [snip]
