Hi Mathias, There are a few common reasons for the active response do not work:
-The IP is in the white list. You said you simulated a brute force attack. Was the ip white listed? -By default the responses will be removed after 10 minutes. If you don't check immediately, they might be removed when you check. Because of that, always look at active-response.log on the agent side. -There is no IP address being decoded from the alert you want to generate the responses. Can you check these? If that's not the problem, can you show us a copy of the alert that you wanted to create an active response? It should be inside /var/ossec/alerts/ and the content of ossec.conf on the manager and active-response.log from the agent? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Apr 21, 2009 at 9:25 AM, cianop <[email protected]> wrote: > > I'm sorry but I have no idea, I tried all that you have tried, but it > didn't work. Maybe could be a Operating system problem or linked to > the c library or c compiler. But this is out of my knowledge, and > should be the ossec team to answer, if they want... o better if we > pay... It should be very nice to know witch version of linux kernel, > gcc, libstdc... are better and works. > > Luciano > > On 16 Apr, 13:59, mathias1104 <[email protected]> wrote: >> Hi, >> I've a problem that look similar. >> One Server, 4 Agents. >> Everthing works fine, only avtive responses don't work. >> Also if I try >> agent_control -u 004 -b 1.2.3.4 -f host-deny600 >> it works, but if I simulate a brute force attack on the same agent, I >> received a message with level 10- so far, so good, but active response >> don't work. >> So the communication between agent and server seems ok, but the server >> don't initiate the active response. >> Any idea, whats wrong? >> >> <command> >> <name>host-deny</name> >> <executable>host-deny.sh</executable> >> <expect>srcip</expect> >> <timeout_allowed>yes</timeout_allowed> >> </command> >> >> <active-response> >> <disabled>no</disabled> >> <!-- This response is going to execute the host-deny >> - command for every event that fires a rule with >> - level (severity) >= 6. >> - The IP is going to be blocked for 600 seconds. >> --> >> <command>host-deny</command> >> <location>local</location> >> <level>6</level> >> <timeout>600</timeout> >> </active-response> >> >> On Mar 31, 4:09 pm, "Larry Rider Bou" <[email protected]> wrote: >> >> > Hello, >> >> > I posted a bug that was not solved with same problem. >> >> > If instead of: >> >> > > > <active-response> >> > > > <!-- Thisresponseis going to execute the host-deny >> > > > - command for every event that fires a rule with >> > > > - level (severity) >= 6. >> > > > - The IP is going to be blocked for 600 seconds. >> > > > --> >> > > > <command>host-deny</command> >> > > > <location>local</location> --> Does not work. >> > > > <level>6</level> >> > > > <timeout>600</timeout> >> > > > </active-response> >> >> > You write : (Change local for all) it will work. (It does for me) >> >> > > > <active-response> >> > > > <!-- Thisresponseis going to execute the host-deny >> > > > - command for every event that fires a rule with >> > > > - level (severity) >= 6. >> > > > - The IP is going to be blocked for 600 seconds. >> > > > --> >> > > > <command>host-deny</command> >> > > > <location>all</location> --> does work >> > > > <level>6</level> >> > > > <timeout>600</timeout> >> > > > </active-response> >> >> > Un saludo, >> > Larry A. Rider >> > >> > >> >> > -----Mensaje original----- >> > De: [email protected] [mailto:[email protected]] En >> > nombre de cianop >> > Enviado el: martes, 31 de marzo de 2009 12:25 >> > Para: ossec-list >> > Asunto: [ossec-list] Re: active-responsedoesn't work >> >> > I also tried to run the same command on the agent 000 (the server) but >> > doesn't work: no line added to hosts.deny, no active-response.log >> >> > Luciano >> >> > On 25 Mar, 15:31, Daniel Cid <[email protected]> wrote: >> >> > > Hi, >> >> > > Did you check for the file /var/ossec/logs/active-responses.log on the >> > > agent? You configured >> > > theresponseto run on the agent side, not on the manager. Also, it >> > > will timeout and remove >> > > the block after 10 minutes (for the first entry, not yours).... >> >> > > A good way to test is to run the command agent_control: >> >> > > # /var/ossec/bin/agent_control -L >> >> > > OSSEC HIDS agent_control. Available active responses: >> >> > > Responsename: host-deny600, command: host-deny.sh >> > > Responsename: host-deny600, command: host-deny.sh >> > > Responsename: firewall-drop600, command: firewall-drop.sh >> > > Responsename: win_nullroute600, command: route-null.cmd >> >> > > # /var/ossec/bin/agent_control -u 200 -b 1.2.3.4 -f firewall-drop600 >> >> > > OSSEC HIDS agent_control: Running activeresponse'firewall-drop600' on: >> > > 200 >> >> > > The second command will block the ip 1.2.3.4 on the agent 200 using >> > > firewall-drop600... >> >> > > Hope it helps. >> >> > > -- >> > > Daniel B. Cid >> > > dcid ( at ) ossec.net >> >> > > On Wed, Mar 4, 2009 at 5:40 AM, cianop <[email protected]> >> > > wrote: >> >> > > > Thank you for your interest, I already posted all the configuration in >> > > > a previuos post, anyway, following ther is the last notification >> > > > (brute force on ftp server): >> >> > > > Received From: (maia) 192.168.0.11->/var/log/vsftpd.log >> > > > Rule: 11451 fired (level 10) -> "FTP brute force (multiple failed >> > > > logins)." >> > > > Portion of the log(s): >> >> > > > Tue Mar 3 08:57:45 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: >> > > > Client "221.4.205.132" >> > > > Tue Mar 3 08:57:44 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: >> > > > Client "221.4.205.132" >> > > > Tue Mar 3 08:57:43 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: >> > > > Client "221.4.205.132" >> > > > Tue Mar 3 08:57:42 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: >> > > > Client "221.4.205.132" >> > > > Tue Mar 3 08:57:41 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: >> > > > Client "221.4.205.132" >> > > > Tue Mar 3 08:57:40 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: >> > > > Client "221.4.205.132" >> > > > Tue Mar 3 08:57:39 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: >> > > > Client "221.4.205.132" >> >> > > > I got email alert without problem also for level 12. I have been >> > > > checked for log file but there isn't (active- >> > > > responses.log). In alerts.log I finded the same email alert. I have 1 >> > > > ossec server and 4 agent, the alert came from an agent. >> > > > Here the active-responsepart of ossec.conf: >> >> > > > <command> >> > > > <name>host-deny</name> >> > > > <executable>host-deny.sh</executable> >> > > > <expect>srcip</expect> >> > > > <timeout_allowed>yes</timeout_allowed> >> > > > </command> >> >> > > > <!-- ActiveResponseConfig --> >> > > > <active-response> >> > > > <!-- Thisresponseis going to execute the host-deny >> > > > - command for every event that fires a rule with >> > > > - level (severity) >= 6. >> > > > - The IP is going to be blocked for 600 seconds. >> > > > --> >> > > > <command>host-deny</command> >> > > > <location>local</location> >> > > > <level>6</level> >> > > > <timeout>600</timeout> >> > > > </active-response> >> >> > > > I disabled the firewall drop adding the relative tag >> >> > > > <active-response> >> > > > <!-- Firewall Dropresponse. Block the IP for >> > > > - 600 seconds on the firewall (iptables, >> > > > - ipfilter, etc). >> > > > --> >> > > > <disabled>yes</disabled> >> > > > <command>firewall-drop</command> >> > > > <location>local</location> >> > > > <level>6</level> >> > > > <timeout>600</timeout> >> > > > </active-response> >> >> > > > here the directory permission on agent and server: >> >> > > > dr-xr-x--- 3 root ossec 4096 Feb 10 14:58 active-response >> > > > dr-xr-x--- 2 root ossec 4096 Feb 10 14:58 bin >> > > > dr-xr-x--- 3 root ossec 4096 Feb 18 12:35 etc >> > > > drwxr-x--- 2 ossec ossec 4096 Mar 4 09:24 logs >> > > > dr-xr-x--- 6 root ossec 4096 Feb 10 14:58 queue >> > > > dr-xr-x--- 3 root ossec 4096 Feb 18 12:35 var >> >> > > > /var/ossec/active-response# ls -l >> > > > total 4 >> > > > dr-xr-x--- 2 root ossec 4096 Mar 2 11:25 bin >> >> > > > /var/ossec/active-response/bin# ls -l >> > > > total 32 >> > > > -rwxr-xr-x 1 root ossec 1711 Jan 6 2007 disable-account.sh >> > > > -rwxr-xr-x 1 root ossec 3705 Jan 6 2007 firewall-drop.sh >> > > > -rwxr-xr-x 1 root ossec 3018 Jun 11 2008 host-deny.sh >> > > > -rwxr-xr-x 1 root ossec 1385 Jan 6 2007 ipfw.sh >> > > > -rwxr-xr-x 1 root ossec 1617 Jan 6 2007 ipfw_mac.sh >> > > > -rwxr-xr-x 1 root ossec 1849 Jun 6 2008 pf.sh >> > > > -rwxr-xr-x 1 root ossec 2542 Feb 18 17:08 pix-blacklist.sh >> > > > -rwxr-xr-x 1 root ossec 1182 May 24 2008 route-null.sh >> >> > > > I also raised the debug level to 2 in server >> >> > > > # Analysisd (server or local) >> > > > analysisd.debug=2 >> >> > > > # Unix agentd >> > > > agent.debug=2 >> >> > > > to have more info but nothing more in alert logs. >> >> > > > I also added my own activeresponsebased on rule id rather than >> > > > severity level but doesn't work. >> >> > > > <command> >> > > > <name>pix-blacklist</name> >> > > > <executable>pix-blacklist.sh</executable> >> > > > <expect>srcip</expect> >> > > > <timeout_allowed>no</timeout_allowed> >> > > > </command> >> >> > > > <active-response> >> > > > <!-- Thisresponseis going to execute the pix-blacklist >> > > > - command for every event that fires a rule with >> > > > - level (severity) >= 6. >> > > > - The IP is going to be logged for Pix Blacklist. >> > > > --> >> > > > <command>pix-blacklist</command> >> > > > <location>local</location> >> > > > <rules_id>31151,30114,31163,31106</rules_id> >> > > > </active-response> >> >> > > > Last, the ossec server is an ubuntu breezy server, the agent that >> > > > raise alert is a debian 3.1 server and both run ossec 1.6.1 >> >> > > > I hope this info can be helpfull. >> >> > > > Thank you >> >> > > > Luciano >> >> > > > On 3 Mar, 15:55, Damon Getsman <[email protected]> wrote: >> > > >> I would suggest posting the version of OSsec that you're using, the >> > > >> rule >> > > >> that is specifically being fired @ level 10 (I believe there is more >> > > >> than >> > > >> one type of ssh brute force attack if I remember correctly), and then >> > > >> the >> > > >> <active-response> portion of your ossec.conf file. Snippets of the >> > > >> log >> > > >> itself may help, too. >> >> > > >> I know that you specified that you're using the 'defaults', but if >> > > >> you tag >> > > >> these pieces of information along in your messages it'll make things >> > > >> easier >> > > >> for someone that may know the answer of the top of their head to post >> > > >> a >> > > >>responseto you. I'm pretty sure most of the people on this mailing >> > > >>list >> > > >> don't have the time to sit and research various responses to >> > > >> questions like >> > > >> this most of the time; nobody gets paid to respond to the mailing >> > > >> list. :) >> >> > > >> HTH. >> > > >> ---------- >> > > >> Damon Getsman >> > > >> -=-=-=- >> > > >> ITRxhttp://www.itrx-nd.com/ >> > > >> Programmer/IT Customer Relations/Sys Admin >> >> ... >> >> leggi tutto >
