Hi,
I've a problem that look similar.
One Server, 4 Agents.
Everthing works fine, only avtive responses don't work.
Also if I try
agent_control -u 004 -b 1.2.3.4 -f host-deny600
it works, but if I simulate a brute force attack on the same agent, I
received a message with level 10- so far, so good, but active response
don't work.
So the communication between agent and server seems ok, but the server
don't initiate the active response.
Any idea, whats wrong?
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
On Mar 31, 4:09 pm, "Larry Rider Bou" <[email protected]> wrote:
> Hello,
>
> I posted a bug that was not solved with same problem.
>
> If instead of:
>
> > > <active-response>
> > > <!-- Thisresponseis going to execute the host-deny
> > > - command for every event that fires a rule with
> > > - level (severity) >= 6.
> > > - The IP is going to be blocked for 600 seconds.
> > > -->
> > > <command>host-deny</command>
> > > <location>local</location> --> Does not work.
> > > <level>6</level>
> > > <timeout>600</timeout>
> > > </active-response>
>
> You write : (Change local for all) it will work. (It does for me)
>
> > > <active-response>
> > > <!-- Thisresponseis going to execute the host-deny
> > > - command for every event that fires a rule with
> > > - level (severity) >= 6.
> > > - The IP is going to be blocked for 600 seconds.
> > > -->
> > > <command>host-deny</command>
> > > <location>all</location> --> does work
> > > <level>6</level>
> > > <timeout>600</timeout>
> > > </active-response>
>
> Un saludo,
> Larry A. Rider
>
>
>
> -----Mensaje original-----
> De: [email protected] [mailto:[email protected]] En
> nombre de cianop
> Enviado el: martes, 31 de marzo de 2009 12:25
> Para: ossec-list
> Asunto: [ossec-list] Re: active-responsedoesn't work
>
> I also tried to run the same command on the agent 000 (the server) but
> doesn't work: no line added to hosts.deny, no active-response.log
>
> Luciano
>
> On 25 Mar, 15:31, Daniel Cid <[email protected]> wrote:
>
> > Hi,
>
> > Did you check for the file /var/ossec/logs/active-responses.log on the
> > agent? You configured
> > theresponseto run on the agent side, not on the manager. Also, it
> > will timeout and remove
> > the block after 10 minutes (for the first entry, not yours)....
>
> > A good way to test is to run the command agent_control:
>
> > # /var/ossec/bin/agent_control -L
>
> > OSSEC HIDS agent_control. Available active responses:
>
> > Responsename: host-deny600, command: host-deny.sh
> > Responsename: host-deny600, command: host-deny.sh
> > Responsename: firewall-drop600, command: firewall-drop.sh
> > Responsename: win_nullroute600, command: route-null.cmd
>
> > # /var/ossec/bin/agent_control -u 200 -b 1.2.3.4 -f firewall-drop600
>
> > OSSEC HIDS agent_control: Running activeresponse'firewall-drop600' on: 200
>
> > The second command will block the ip 1.2.3.4 on the agent 200 using
> > firewall-drop600...
>
> > Hope it helps.
>
> > --
> > Daniel B. Cid
> > dcid ( at ) ossec.net
>
> > On Wed, Mar 4, 2009 at 5:40 AM, cianop <[email protected]>
> > wrote:
>
> > > Thank you for your interest, I already posted all the configuration in
> > > a previuos post, anyway, following ther is the last notification
> > > (brute force on ftp server):
>
> > > Received From: (maia) 192.168.0.11->/var/log/vsftpd.log
> > > Rule: 11451 fired (level 10) -> "FTP brute force (multiple failed
> > > logins)."
> > > Portion of the log(s):
>
> > > Tue Mar 3 08:57:45 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
> > > Client "221.4.205.132"
> > > Tue Mar 3 08:57:44 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
> > > Client "221.4.205.132"
> > > Tue Mar 3 08:57:43 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
> > > Client "221.4.205.132"
> > > Tue Mar 3 08:57:42 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
> > > Client "221.4.205.132"
> > > Tue Mar 3 08:57:41 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
> > > Client "221.4.205.132"
> > > Tue Mar 3 08:57:40 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
> > > Client "221.4.205.132"
> > > Tue Mar 3 08:57:39 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
> > > Client "221.4.205.132"
>
> > > I got email alert without problem also for level 12. I have been
> > > checked for log file but there isn't (active-
> > > responses.log). In alerts.log I finded the same email alert. I have 1
> > > ossec server and 4 agent, the alert came from an agent.
> > > Here the active-responsepart of ossec.conf:
>
> > > <command>
> > > <name>host-deny</name>
> > > <executable>host-deny.sh</executable>
> > > <expect>srcip</expect>
> > > <timeout_allowed>yes</timeout_allowed>
> > > </command>
>
> > > <!-- ActiveResponseConfig -->
> > > <active-response>
> > > <!-- Thisresponseis going to execute the host-deny
> > > - command for every event that fires a rule with
> > > - level (severity) >= 6.
> > > - The IP is going to be blocked for 600 seconds.
> > > -->
> > > <command>host-deny</command>
> > > <location>local</location>
> > > <level>6</level>
> > > <timeout>600</timeout>
> > > </active-response>
>
> > > I disabled the firewall drop adding the relative tag
>
> > > <active-response>
> > > <!-- Firewall Dropresponse. Block the IP for
> > > - 600 seconds on the firewall (iptables,
> > > - ipfilter, etc).
> > > -->
> > > <disabled>yes</disabled>
> > > <command>firewall-drop</command>
> > > <location>local</location>
> > > <level>6</level>
> > > <timeout>600</timeout>
> > > </active-response>
>
> > > here the directory permission on agent and server:
>
> > > dr-xr-x--- 3 root ossec 4096 Feb 10 14:58 active-response
> > > dr-xr-x--- 2 root ossec 4096 Feb 10 14:58 bin
> > > dr-xr-x--- 3 root ossec 4096 Feb 18 12:35 etc
> > > drwxr-x--- 2 ossec ossec 4096 Mar 4 09:24 logs
> > > dr-xr-x--- 6 root ossec 4096 Feb 10 14:58 queue
> > > dr-xr-x--- 3 root ossec 4096 Feb 18 12:35 var
>
> > > /var/ossec/active-response# ls -l
> > > total 4
> > > dr-xr-x--- 2 root ossec 4096 Mar 2 11:25 bin
>
> > > /var/ossec/active-response/bin# ls -l
> > > total 32
> > > -rwxr-xr-x 1 root ossec 1711 Jan 6 2007 disable-account.sh
> > > -rwxr-xr-x 1 root ossec 3705 Jan 6 2007 firewall-drop.sh
> > > -rwxr-xr-x 1 root ossec 3018 Jun 11 2008 host-deny.sh
> > > -rwxr-xr-x 1 root ossec 1385 Jan 6 2007 ipfw.sh
> > > -rwxr-xr-x 1 root ossec 1617 Jan 6 2007 ipfw_mac.sh
> > > -rwxr-xr-x 1 root ossec 1849 Jun 6 2008 pf.sh
> > > -rwxr-xr-x 1 root ossec 2542 Feb 18 17:08 pix-blacklist.sh
> > > -rwxr-xr-x 1 root ossec 1182 May 24 2008 route-null.sh
>
> > > I also raised the debug level to 2 in server
>
> > > # Analysisd (server or local)
> > > analysisd.debug=2
>
> > > # Unix agentd
> > > agent.debug=2
>
> > > to have more info but nothing more in alert logs.
>
> > > I also added my own activeresponsebased on rule id rather than
> > > severity level but doesn't work.
>
> > > <command>
> > > <name>pix-blacklist</name>
> > > <executable>pix-blacklist.sh</executable>
> > > <expect>srcip</expect>
> > > <timeout_allowed>no</timeout_allowed>
> > > </command>
>
> > > <active-response>
> > > <!-- Thisresponseis going to execute the pix-blacklist
> > > - command for every event that fires a rule with
> > > - level (severity) >= 6.
> > > - The IP is going to be logged for Pix Blacklist.
> > > -->
> > > <command>pix-blacklist</command>
> > > <location>local</location>
> > > <rules_id>31151,30114,31163,31106</rules_id>
> > > </active-response>
>
> > > Last, the ossec server is an ubuntu breezy server, the agent that
> > > raise alert is a debian 3.1 server and both run ossec 1.6.1
>
> > > I hope this info can be helpfull.
>
> > > Thank you
>
> > > Luciano
>
> > > On 3 Mar, 15:55, Damon Getsman <[email protected]> wrote:
> > >> I would suggest posting the version of OSsec that you're using, the rule
> > >> that is specifically being fired @ level 10 (I believe there is more than
> > >> one type of ssh brute force attack if I remember correctly), and then the
> > >> <active-response> portion of your ossec.conf file. Snippets of the log
> > >> itself may help, too.
>
> > >> I know that you specified that you're using the 'defaults', but if you
> > >> tag
> > >> these pieces of information along in your messages it'll make things
> > >> easier
> > >> for someone that may know the answer of the top of their head to post a
> > >>responseto you. I'm pretty sure most of the people on this mailing list
> > >> don't have the time to sit and research various responses to questions
> > >> like
> > >> this most of the time; nobody gets paid to respond to the mailing list.
> > >> :)
>
> > >> HTH.
> > >> ----------
> > >> Damon Getsman
> > >> -=-=-=-
> > >> ITRxhttp://www.itrx-nd.com/
> > >> Programmer/IT Customer Relations/Sys Admin
> > >> -=-=-=-
>
> > >> On Tue, Mar 3, 2009 at 2:23 AM, cianop
> > >> <[email protected]>wrote:
>
> > >> > Hey, someone can help me please, I have a lot of brute force attack
> > >> > notificated by OSSEC, and if the active-responsedoesn't work before
> > >> > or after they go inside. Anyone at Ossec can help me?
>
> > >> [snip]
> > >> On 19 Feb, 16:18, cianop <[email protected]> wrote:> Hi, I
> > >> had an OSSEC notification that say that a rule with level 10 was
> > >> > fired but I didn't see any active-responseaction. I mean no
> > >> > modification of hosts.* no logs in active-responsedir or logs dir.
> > >> > I have the default rules installed and the two default command and
> > >> > related active-response(host-deny
> > >> > and firewall-drop) with the firewall-drop disabled. There is also no
> > >> > error in ossec.log
>
> > >> [snip]
