Hi Daniel,
I already tried to remove all white lists besides 127.0.0.1.
I watch the active-responses.log on the agent and on the server while
I tested from a client in the local network.
alert.log:
** Alert 1240328311.109905: mail -
syslog,sshd,authentication_failures,
2009 Apr 21 17:38:31 (themis) 10.10.70.68->/var/log/messages
Rule: 5712 (level 10) -> 'SSHD brute force trying to get access to the
system.'
Src IP: 10.10.70.139
User: (none)
Apr 21 17:38:38 themis sshd[25537]: Failed keyboard-interactive/pam
for invalid user zi from 10.10.70.139 port 1058 ssh2
...
Ossec version is 2.0.
ossec.conf (server):
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<email_to>[email protected]</email_to>
<smtp_server>mx1.domain.com</smtp_server>
<email_from>oss...@fafnir</email_from>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>apache_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>zeus_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>vmware_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>local_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 6
hours -->
<frequency>21600</frequency>
<!-- Directories to check (perform all possible verifications) --
>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/etc/nagios/nagiosgraph/rrd</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</
rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</
rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</
system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</
system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</
system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</
system_audit>
</rootcheck>
<global>
<white_list>127.0.0.1</white_list>
</global>
<remote>
<connection>syslog</connection>
<allowed-ips>10.10.70.4</allowed-ips>
<allowed-ips>10.10.70.62</allowed-ips>
<allowed-ips>10.10.70.68</allowed-ips>
</remote>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>test</name>
<executable>test.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Active Response Config -->
<active-response>
<disabled>no</disabled>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<disabled>yes</disabled>
<command>test</command>
<location>local</location>
<level>1</level>
<timeout>600</timeout>
</active-response>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mail.info</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/apache2/error_log</location>
</localfile>
</ossec_config>
active-responses.log:
Di 21. Apr 17:59:46 CEST 2009 /var/ossec/active-response/bin/host-
deny.sh add - 10.10.70.139 (from_the_server) (no_rule_id)
Di 21. Apr 18:00:00 CEST 2009 /var/ossec/active-response/bin/host-
deny.sh add - 1.2.3.4 (from_the_server) (no_rule_id)
(after I tried
/var/ossec/bin/agent_control -u 004 -b 10.10.70.139 -f host-deny600
and
/var/ossec/bin/agent_control -u 004 -b 1.2.3.4 -f host-deny600
on the server.)
Thank You
Mathias
On Apr 21, 3:18 pm, Daniel Cid <[email protected]> wrote:
> Hi Mathias,
>
> There are a few common reasons for the active response do not work:
>
> -The IP is in the white list. You said you simulated a brute force
> attack. Was the ip white listed?
> -By default the responses will be removed after 10 minutes. If you
> don't check immediately, they
> might be removed when you check. Because of that, always look at
> active-response.log on the
> agent side.
> -There is no IP address being decoded from the alert you want to
> generate the responses.
>
> Can you check these? If that's not the problem, can you show us a copy
> of the alert that you wanted to create
> an active response? It should be inside /var/ossec/alerts/ and the
> content of ossec.conf on the manager and
> active-response.log from the agent?
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On Tue, Apr 21, 2009 at 9:25 AM, cianop <[email protected]>
> wrote:
>
> > I'm sorry but I have no idea, I tried all that you have tried, but it
> > didn't work. Maybe could be a Operating system problem or linked to
> > the c library or c compiler. But this is out of my knowledge, and
> > should be the ossec team to answer, if they want... o better if we
> > pay... It should be very nice to know witch version of linux kernel,
> > gcc, libstdc... are better and works.
>
> > Luciano
>
> > On 16 Apr, 13:59, mathias1104 <[email protected]> wrote:
> >> Hi,
> >> I've a problem that look similar.
> >> One Server, 4 Agents.
> >> Everthing works fine, only avtive responses don't work.
> >> Also if I try
> >> agent_control -u 004 -b 1.2.3.4 -f host-deny600
> >> it works, but if I simulate a brute force attack on the same agent, I
> >> received a message with level 10- so far, so good, but active response
> >> don't work.
> >> So the communication between agent and server seems ok, but the server
> >> don't initiate the active response.
> >> Any idea, whats wrong?
>
> >> <command>
> >> <name>host-deny</name>
> >> <executable>host-deny.sh</executable>
> >> <expect>srcip</expect>
> >> <timeout_allowed>yes</timeout_allowed>
> >> </command>
>
> >> <active-response>
> >> <disabled>no</disabled>
> >> <!-- This response is going to execute the host-deny
> >> - command for every event that fires a rule with
> >> - level (severity) >= 6.
> >> - The IP is going to be blocked for 600 seconds.
> >> -->
> >> <command>host-deny</command>
> >> <location>local</location>
> >> <level>6</level>
> >> <timeout>600</timeout>
> >> </active-response>
>
> >> On Mar 31, 4:09 pm, "Larry Rider Bou" <[email protected]> wrote:
>
> >> > Hello,
>
> >> > I posted a bug that was not solved with same problem.
>
> >> > If instead of:
>
> >> > > > <active-response>
> >> > > > <!-- Thisresponseis going to execute the host-deny
> >> > > > - command for every event that fires a rule with
> >> > > > - level (severity) >= 6.
> >> > > > - The IP is going to be blocked for 600 seconds.
> >> > > > -->
> >> > > > <command>host-deny</command>
> >> > > > <location>local</location> --> Does not work.
> >> > > > <level>6</level>
> >> > > > <timeout>600</timeout>
> >> > > > </active-response>
>
> >> > You write : (Change local for all) it will work. (It does for me)
>
> >> > > > <active-response>
> >> > > > <!-- Thisresponseis going to execute the host-deny
> >> > > > - command for every event that fires a rule with
> >> > > > - level (severity) >= 6.
> >> > > > - The IP is going to be blocked for 600 seconds.
> >> > > > -->
> >> > > > <command>host-deny</command>
> >> > > > <location>all</location> --> does work
> >> > > > <level>6</level>
> >> > > > <timeout>600</timeout>
> >> > > > </active-response>
>
> >> > Un saludo,
> >> > Larry A. Rider
>
> >> > -----Mensaje original-----
> >> > De: [email protected] [mailto:[email protected]] En
> >> > nombre de cianop
> >> > Enviado el: martes, 31 de marzo de 2009 12:25
> >> > Para: ossec-list
> >> > Asunto: [ossec-list] Re: active-responsedoesn't work
>
> >> > I also tried to run the same command on the agent 000 (the server) but
> >> > doesn't work: no line added to hosts.deny, no active-response.log
>
> >> > Luciano
>
> >> > On 25 Mar, 15:31, Daniel Cid <[email protected]> wrote:
>
> >> > > Hi,
>
> >> > > Did you check for the file /var/ossec/logs/active-responses.log on the
> >> > > agent? You configured
> >> > > theresponseto run on the agent side, not on the manager. Also, it
> >> > > will timeout and remove
> >> > > the block after 10 minutes (for the first entry, not yours)....
>
> >> > > A good way to test is to run the command agent_control:
>
> >> > > # /var/ossec/bin/agent_control -L
>
> >> > > OSSEC HIDS agent_control. Available active responses:
>
> >> > > Responsename: host-deny600, command: host-deny.sh
> >> > > Responsename: host-deny600, command: host-deny.sh
> >> > > Responsename: firewall-drop600, command: firewall-drop.sh
> >> > > Responsename: win_nullroute600, command: route-null.cmd
>
> >> > > # /var/ossec/bin/agent_control -u 200 -b 1.2.3.4 -f firewall-drop600
>
> >> > > OSSEC HIDS agent_control: Running activeresponse'firewall-drop600' on:
> >> > > 200
>
> >> > > The second command will block the ip 1.2.3.4 on the agent 200 using
> >> > > firewall-drop600...
>
> >> > > Hope it helps.
>
> >> > > --
> >> > > Daniel B. Cid
> >> > > dcid ( at ) ossec.net
>
> >> > > On Wed, Mar 4, 2009 at 5:40 AM, cianop
> >> > > <[email protected]> wrote:
>
> >> > > > Thank you for your interest, I already posted all the configuration
> >> > > > in
> >> > > > a previuos post, anyway, following ther is the last notification
> >> > > > (brute force on ftp server):
>
> >> > > > Received From: (maia) 192.168.0.11->/var/log/vsftpd.log
> >> > > > Rule: 11451 fired (level 10) -> "FTP brute force (multiple failed
> >> > > > logins)."
> >> > > > Portion of the log(s):
>
> >> > > > Tue Mar 3 08:57:45 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
> >> > > > Client "221.4.205.132"
> >> > > > Tue Mar 3 08:57:44 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
> >> > > > Client "221.4.205.132"
> >> > > > Tue Mar 3 08:57:43 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
> >> > > > Client "221.4.205.132"
> >> > > > Tue Mar 3 08:57:42 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
> >> > > > Client "221.4.205.132"
> >> > > > Tue Mar 3 08:57:41 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
> >> > > > Client "221.4.205.132"
> >> > > > Tue Mar 3 08:57:40 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
> >> > > > Client "221.4.205.132"
> >> > > > Tue Mar 3 08:57:39 2009 [pid 7809] [tsinternetusers] FAIL LOGIN:
> >> > > > Client "221.4.205.132"
>
> >> > > > I got email alert without problem also for level 12. I have been
> >> > > > checked for log file but there isn't (active-
> >> > > > responses.log). In alerts.log I finded the same email alert. I have 1
> >> > > > ossec server and 4 agent, the alert came from an agent.
> >> > > > Here the active-responsepart of ossec.conf:
>
> >> > > > <command>
> >> > > > <name>host-deny</name>
> >> > > > <executable>host-deny.sh</executable>
> >> > > > <expect>srcip</expect>
> >> > > > <timeout_allowed>yes</timeout_allowed>
> >> > > > </command>
>
> >> > > > <!-- ActiveResponseConfig -->
> >> > > > <active-response>
> >> > > > <!-- Thisresponseis going to execute the host-deny
> >> > > > - command for every event that fires a rule with
> >> > > > - level (severity) >= 6.
> >> > > > - The IP is going to be blocked for 600 seconds.
> >> > > > -->
> >> > > > <command>host-deny</command>
> >> > > > <location>local</location>
> >> > > > <level>6</level>
> >> > > > <timeout>600</timeout>
> >> > > > </active-response>
>
> >> > > > I disabled the firewall drop adding the relative tag
>
> >> > > > <active-response>
> >> > > > <!-- Firewall Dropresponse. Block the IP for
> >> > > > - 600 seconds on the firewall (iptables,
> >> > > > - ipfilter, etc).
> >> > > > -->
> >> > > > <disabled>yes</disabled>
> >> > > > <command>firewall-drop</command>
> >> > > > <location>local</location>
> >> > > > <level>6</level>
> >> > > > <timeout>600</timeout>
> >> > > > </active-response>
>
> >> > > > here the directory permission on agent and server:
>
> >> > > > dr-xr-x--- 3 root ossec 4096 Feb 10 14:58 active-response
> >> > > > dr-xr-x--- 2 root ossec 4096 Feb 10 14:58 bin
> >> > > > dr-xr-x--- 3 root ossec 4096 Feb 18 12:35 etc
> >> > > > drwxr-x--- 2 ossec ossec 4096 Mar 4 09:24 logs
> >> > > > dr-xr-x--- 6 root ossec 4096 Feb 10 14:58 queue
> >> > > > dr-xr-x--- 3 root ossec 4096 Feb 18 12:35 var
>
> >> > > > /var/ossec/active-response# ls -l
> >> > > > total 4
> >> > > > dr-xr-x--- 2 root ossec 4096 Mar 2 11:25 bin
>
> >> > > > /var/ossec/active-response/bin# ls -l
> >> > > > total 32
> >> > > > -rwxr-xr-x 1 root ossec 1711 Jan 6 2007 disable-account.sh
> >> > > > -rwxr-xr-x 1 root ossec 3705 Jan 6 2007 firewall-drop.sh
> >> > > > -rwxr-xr-x 1 root ossec 3018 Jun 11 2008 host-deny.sh
> >> > > > -rwxr-xr-x 1 root ossec 1385 Jan 6 2007 ipfw.sh
> >> > > > -rwxr-xr-x 1 root ossec 1617 Jan 6 2007 ipfw_mac.sh
> >> > > > -rwxr-xr-x 1 root ossec 1849 Jun 6 2008 pf.sh
> >> > > > -rwxr-xr-x 1 root ossec 2542 Feb 18 17:08 pix-blacklist.sh
> >> > > > -rwxr-xr-x 1 root ossec 1182 May 24 2008 route-null.sh
>
> >> > > > I also raised the debug level to 2 in server
>
> >> > > > # Analysisd (server or local)
> >> > > > analysisd.debug=2
>
> >> > > > # Unix agentd
> >> > > > agent.debug=2
>
> >> > > > to have more info but nothing more in alert logs.
>
> >> > > > I also added my own activeresponsebased on rule id rather than
> >> > > > severity level but doesn't work.
>
> >> > > > <command>
> >> > > > <name>pix-blacklist</name>
> >> > > > <executable>pix-blacklist.sh</executable>
> >> > > > <expect>srcip</expect>
> >> > > > <timeout_allowed>no</timeout_allowed>
> >> > > > </command>
>
> >> > > > <active-response>
>
> ...
>
> read more »
